• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

php echo html form coding problem syntax

I am trying to change a form to use
html entities
I am not sure how to write the code correctly!
echo'<form enctype="multipart/form-data" method="post">
        Maximum accepted filesize is '.(intval($maxsize/1024)).' KB.<br>
        You can upload only JPG and PNG pics<br><br>
        Photo Name:<br><input name="update_photo_title" type="text" size="20"><br>
I would like to change the line below to use htm entities        
Photo Description:<br><textarea name="update_photo_text" rows="3" cols="65"></textarea>
I have this from antoher script, between <html></html>
<p><textarea name="update_photo_text" rows="8" cols="65"><?php print htmlentities($_GET[update_photo_text]); ?></textarea></p>
I know that I am using POST and not GET, so GET should be POST!
I tried to change this line, to get it to work within the <?php echo''; ?>
can you tell me how to fis this?

2.Should I re-code this lin above
Photo Name:<br><input name="update_photo_title" type="text" size="20"><br>
to incorporate html entities?

Upload:<br><input name="userfile" type="file" size="40"><br>
       <input type="submit" value="  Upload File  " name="submit">

in the sql statement I would like to add

3 for security can I use '".mysqli_real_escape_string($mysqli,$ID)."' in the sql statement, or is this only for use with the GET method? Shoul I use this with all sql insertion/updates of data?
  • 3
1 Solution
1 & 2:Assuming it's part of your original echo statement:

echo'<form enctype="multipart/form-data" method="post">
        Maximum accepted filesize is '.(intval($maxsize/1024)).' KB.<br>
        You can upload only JPG and PNG pics<br><br>
        Photo Name:<br><input name="update_photo_title" type="text" size="20" value="'.htmlentities($_POST['update_photo_title'].'"><br>
Photo Description:<br><textarea name="update_photo_text" rows="3" cols="65">'.htmlentities($_POST['update_photo_text']).'</textarea>';

Long strings can get confusing. Particularly when most of it is static (unchanging. I would recommend something like this:

?><form enctype="multipart/form-data" method="post">
        Maximum accepted filesize is <?php echo intval($maxsize/1024)); ?> KB.<br />
        You can upload only JPG and PNG pics<br/ ><br />
        Photo Name:<br /><input name="update_photo_title" type="text" size="20" value="<?php echo htmlentities($_POST['update_photo_title']); ?>" /><br />
Photo Description:<br /><textarea name="update_photo_text" rows="3" cols="65"><?php echo htmlentities($_POST['update_photo_text']); ?></textarea><?php

(I've assumed you would put that in the middle of a PHP active area (between <?php and ?>) otherwise, just drop the ?> and <?php from either end)

Yes, you should definitely use mysqli_real_escape_string in all your SQL statements, both GET and POST. (Make sure that MAGIC_QUOTES_GPC is off or you'll get double quoting: Like
Ain\\'t SQL grand

I think I've suggested this to you before, but I really have to recommend you have a look at adding something like ADOdb in your site. It makes database access
Woops, accidentally submitted the form. Anyway, ADOdb at http://adodb.sourceforge.net/
It's quick and easy to set up and takes the pain out of quoting your strings (if you use the method shown below it handles that for you. You could use something like this:

$db->Execute("UPDATE photos SET title = ?, text = ? WHERE id = ?", array($_POST['update_photo_title'], $_POST['update_photo_text'], $_POST['photo_id']));

It also makes things easier if you are good with arrays. After telling ADOdb to return associative arrays:

You can use things like
  $photo = $db->GetRow("SELECT * FROM photos WHERE id = ?", array($id));
And then use
  $photo['text'] and $photo['title']

And my favourite usage is something like this:
$num_photos = $db->GetOne("SELECT COUNT(*) FROM photos");
Now $num_photos has the number of photos in the database.

Accessing databases should be easy. I would recommend ignoring the Recordset stuff in ADOdb to start with, because it can complicate things further.
derekstattinAuthor Commented:
Thanks for the comments and for the help with the form!

I will definetly get ADOdb,

Can you help me with syntax, I have been stuck, when I use

$updatephoto_sql = "UPDATE profile set (photo_title, photo_create_time, photo_text, photo_name ) VALUES ('".mysqli_real_escape_string($mysqli,$update_photo_title)."', now(), '".mysqli_real_escape_string($mysqli,$update_photo_text)."','$photo_name') where ID='$ID'";

I get the sql error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(photo_title, photo_create_time, photo_text, photo_name ) VALUES ('ggggggggg', n' at line 1


Ok. UPDATE works differently from INSERT

To keep things simple and clean I'll just so some basic SQL statements based on above, rather than containing all the extra clutter:

UPDATE profile SET photo_title = 'ggggg', photo_create_time = '2007-07-23 13:45:12', photo_text = 'This is my photo' WHERE ID = '5';

So simply include column = value pairs (separated by a comma) for each of the columns you want to update. A cut-down version of the syntax from the MySQL documentation is

UPDATE tbl_name
    SET col_name1=expr1 [, col_name2=expr2 ...]
    [WHERE where_condition]

Anything in square brackets is optional.

Also, remember that you can look up the syntax of SQL at:

If you fix your statement to use the correct syntax you should be right.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now