php - LIKE statement passes wrong character in excel -

-

my idea search query after click image button redirect query excel code

here code image button

$expquery = select * reginformation name '%da%' , deleted = 0; //this example query <a id="exportbutton" style="margin-left:5px;" href="reglisttoexcel.php?query=<?php echo $expquery ?> " ><img src="images/export_to_excel.png" style="margin-left:0px; width:5%" title='download list'></a>

the code reglisttoexcel.php

<?php header('content-type: application/excel');                                   header('content-disposition: attachment; filename="eventregistrationlogs('.date("y-m-d").').xls"'); ?> <html> <table border=2> <tr> <th>registration id</th><th>name</th><th>gender</th><th>age</th><th>birthdate</th><th>address</th> <th>email address</th><th>employment status</th><th>contact no.</th><th>facebook</th> <th>twitter</th><th>instagram</th><th>event</th> <th>where did hear event?</th><th>photo link</th><th>province</th><th>friend's name</th> <th>friend's email address</th><th>friend's name</th> <th>friend's email address</th><th>date registered</th> </tr> <?php include("dbcon.php"); $query=$_get['query']; echo "$query"; $export = mysql_query($query) or die(mysql_error()); $bgcolor = "f6f7ea";              while($data=mysql_fetch_array($export))                  {                         if ($bgcolor == "ecefd7")                         {                          $bgcolor = "f6f7ea";                          }                     else                          {                          $bgcolor = "ecefd7";                          }                     if($data['province'] == "")                         {                                    $province = "";                         }                     else                     {                         $query = "select province province provid = $data[province]";                     $result = mysql_query($query) or die(mysql_error());                     $row = mysql_fetch_array($result);                     $province = $row['province'];                     }             ?>                        <tr><td width="1000px" style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['regid']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['name']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['gender']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['age']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['bdate']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['address']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['emailadd']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['employmentstatus']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['contactno']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['facebook']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['twitter']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['instagram']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['event']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['wherehearevent']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['photolink']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $province?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['referfriend1']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['referemail1']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['referfriend2']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['referemail2']?></td>                     <td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['date_register']?></td>                     </tr> <?php   } ?> </table> </body> </html>

the query gives excel
select * reginformation name 'Ú%' , deleted = 0
how can fix this?

one of fundamental issues example query not escaped before being passed through subsequent page.

in particular, it's worth using php's "htmlentities" function on $expquery, , validating what's being passed through request. browser tool firebug can this.

additionally, code subject arbitrary sql injection attacks. should using mysqli_escape_string on query (and, ideally, passing through parts dynamic).


Comments

Post a Comment

Popular posts from this blog

dns - How To Use Custom Nameserver On Free Cloudflare? -

-
i have problem. i own small hosting company. trying add cloudflare site free cdn. problem when sign have change nameservers nameservers. have nameserver dns set through godaddy, how add them cloudflare? main site uses company's nameservers whenever add them site goes offline. when go cloudflare's dns records click on dropdown, click ns, , there's 2 boxes 'name' , 'nameserver'. mean input 'ns1' 'name' , 'ns1.domain.com' 'nameserver'? input server's ip addresses? is there way of accomplishing free version of cloudflare? that impossible. option have custom name servers available on business , enterprise. see https://www.cloudflare.com/plans . also, might mistaken. must change name servers in domain register settings, not on cloudflare.
Read more

python - Pygame screen.blit not working -

-
in program creating in python/pygame, screen.blit not working. in other programs have made, screen.blit works. error: traceback (most recent call last): file "c:...\main.py", line 46, in <module> screen.blit(sight.image, sight.rect) attributeerror: 'int' object has no attribute 'blit' the error in question caused screen variable being allocated integer instead of pygame.surface() object.perhaps accidentally rewrote variable somewhere? from can make of doing, seems stating position of blit full rect instead of coordinate. when do: screen.blit(sight.image,sight.rect) what program seeing is: screen.blit(sight.image,(sight.rect.x,sight.rect.y,sight.rect.width,sight.rect.height)) i assuming don't intend this. remember rect object consists of position, width , height. to correct code, put (sight.rect.x,sight.rect.y) location goes instead this: screen.blit(sight.image,(sight.rect.x,sight.rect.y)) the .x , .y corres
Read more

c# - Web API response xml language -

-
i having simple post url clients send post request. http://mydomain.com/requests/request post data: <request> <orderid>1e008921</orderid> <ordername>mc1</ordername> </request> to respond sending them xml <srequest> <requestedby>client 1 </requestedby> <requestname>test name</requestname> <requeststatus>success</requeststatus> <srequest> now client wants above xml in different language (say french ) how handle ? how send response language preference in web api ? specially post scenario ? (append language string ? or best practices ?) i suggest either include in url: http://mydomain.com/fr/requests/request or use http header accept-language . read more in answer to: good way changing language resources dynamically request
Read more