PHP Adding/Editing DB via FORMS

georgiecasey · #11 (**permalink**) 21-03-2008, 12:43 AM

weird the thing with the br tags. post more source code to have a look. is there any html_entities tag that might be doing this?

Frodo · #12 (**permalink**) 21-03-2008, 12:50 AM

Quote:

Originally Posted by Frodo

It escapes nasty charters in you sql statements. It's essential to stop mysql injection attacks.

Your insert code should look like this:

PHP Code:

  $content = $_POST['content'];
$dbcontent = mysql_escape_string($content);
$sql="insert into some_table(msContent) values ('".$dbcontent."')";
$result = mysql_query($sql,$conn) or die("Fail");

It should go before your insert/update. It will turn this

Code:

insert into some_table(msContent) values ('This is some content with " in it and  ' in it and things like that')

into

Code:

insert into some_table(msContent) values ('This is some content with \" in it and  \' in it and things like that')

It sounds like you have other functions that are causing this problem, like the html_entities function that goergie mentions.

ziycon · #13 (**permalink**) 21-03-2008, 12:51 AM

Quote:

Originally Posted by georgiecasey

weird the thing with the br tags. post more source code to have a look. is there any html_entities tag that might be doing this?

Nope now html tags, below is the full code for adding a news article.

PHP Code:

  <?php
include('forum/SSI.php');

dbConnect();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title><?php if($context['user']['is_logged'])
            {
                $validate_admin = check_admin_userid($context['user']['id']);
                $validate = check_sec_admin_userid($context['user']['id'],2);
                if(($validate == true) || ($validate_admin == true))
                {
                    echo 'add article';
                }
                else
                {
                    echo 'error';
                }
            }
            else
            {
                echo 'error';
            }
            echo get_prop("site_title_name");?></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name='description' content="The IGaming Network is an Online Gaming Network. We bring you the latest news and gossip on the gaming scene.">
<meta name='keywords' content="ign,irish gaming network,games,ireland,eire,computer,console,psp,ps1,ps2,ps3,xbox,xbox 360,360,nintendo,sony,wii,ds,sega,lan,lans,gaming,consoles">
<meta name="verify-v1" content="2ZcOX3yYQeGDQ0iUCnvKkr0yPMcJxDA2Y+bnSCR90M0=">
<link href="sys_config/style.css" rel="stylesheet" type="text/css">
<link href="sys_config/app_style.css" rel="stylesheet" type="text/css">
<link rel="shortcut icon" type="image/ico" href="images/layout/igaming-network.ico">
<?php display_favicon(); ?>
<script type="text/javascript" src="../sys_config/jscripts/tiny_mce/tiny_mce.js"></script>
<script language="javascript" type="text/javascript">
tinyMCE.init({
    mode : "textareas",
    theme : "advanced",
    theme_advanced_buttons1 : "",
    theme_advanced_buttons2 : "",
    theme_advanced_buttons3 : "",
    theme_advanced_toolbar_location : "top",
    theme_advanced_toolbar_align : "left",
    extended_valid_elements : "a[name|href|target|title|onclick],img[class|src|border=0|alt|title|hspace|vspace|width|height|align|onmouseover|onmouseout|name],hr[class|width|size|noshade],font[face|size|color|style],span[class|align|style]"
});
</script>
<script language="javascript">
<!--
var submitted = 0;
function checkform() {
    if(document.add_article.title.value == '') {
        alert("Please enter an article title!");
        return false;
    }
    if(document.add_article.body_text.value == '') {
        alert("Please enter the body of the article!");
        return false;
    }
    if(document.add_article.image.value == '') {
        alert("Please select an article image!");
        return false;
    }
}
//-->
</script>

</head>
<?php site_header(); 
            if($context['user']['is_logged'])
            {
                $validate_admin = check_admin_userid($context['user']['id']);
                $validate = check_sec_admin_userid($context['user']['id'],2);
                if(($validate == true) || ($validate_admin == true))
                {
?>
            <div id="body_left">
                <div id="wrapper">
                    <div id="page_title">»&nbsp;add news</div>
                    <div id="body_wrapper">
                        <form name="add_article" method="post" action="addNews.php" enctype="multipart/form-data" onsubmit="return checkform();">
                <input type="hidden" name="table" value="'.$table.'">
                <div class="edit_item_wrapper"><div class="edit_item_name">Title:</div><div class="edit_item_detail"><input type="text" name="title" value="" size="50" class="form"></div></div>
                <div class="edit_item_wrapper">
                    <div class="edit_item_name">Body:</div>
                    <div class="edit_item_detail">
                        <textarea name="body_text" rows="40" cols="50"></textarea>    
                    </div>
                </div>    
                <div class="edit_item_wrapper">
                    <div class="edit_item_name">Image:</div>
                    <div class="edit_item_detail">
                        <input type="hidden" name="MAX_FILE_SIZE" value="100000">
                        <input type="file" name="image" size="50" maxlength="100" class="form"> Size: 130 x 78
                    </div>
                </div>
                <div class="edit_item_wrapper"><div class="edit_item_name"><input type="submit" value="Add Article" class="form">&nbsp;<input type="reset" value="Clear" class="form"></div></div>
            </form>
                    </div>
                </div>
            </div>
<?php
                }
            }
            else
            {
                error();
            }
site_footer();
closeConnect();
?>

addNews.php

PHP Code:

  <?php
header("Location: ../news/1.htm");
include('../forum/SSI.php');

dbConnect();

global $context;

if($context['user']['is_logged'])
{
    $validate_admin = check_admin_userid($context['user']['id']);
    $validate = check_sec_admin_userid($context['user']['id'],2);
    if(($validate == true) || ($validate_admin == true))
    {
        $target_path = "../images/news/";
        $target_path = $target_path . basename($_FILES['image']['name']);
        
        if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
        {
            mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$_REQUEST['body_text']."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
        }
    }
}

closeConnect();
?>

Frodo · #14 (**permalink**) 21-03-2008, 01:19 AM

A) Have you tried turning TinyMCE off to make sure it's not doing it.

B) This is different code that the first piece you posted.

C) Change this:

PHP Code:

          if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
        {
            mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$_REQUEST['body_text']."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
        }

to

PHP Code:

          if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
        {
            $content = $_REQUEST['body_text'];
            $content = mysql_escape_string($content);
            mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$content."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
        }

ziycon · #15 (**permalink**) 21-03-2008, 01:57 AM

Quote:

Originally Posted by Frodo

A) Have you tried turning TinyMCE off to make sure it's not doing it.

B) This is different code that the first piece you posted.

C) Change this:

PHP Code:

          if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
        {
            mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$_REQUEST['body_text']."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
        }

to

PHP Code:

          if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
        {
            $content = $_REQUEST['body_text'];
            $content = mysql_escape_string($content);
            mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$content."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
        }

Same thing happens when i disable TinyMCE(never had a problem before with it) also that code snippet you suggested there, i've tried it and same thing still happens!
I feel like crying!

ziycon · #16 (**permalink**) 21-03-2008, 02:16 AM

Ok Frodo, that seems to work on adding a new article, but when i edit it the same old thing is happening, below is the update page:

PHP Code:

  <?php
header("Location: ../news/1.htm");
include('../forum/SSI.php');

dbConnect();

global $context;

if($context['user']['is_logged'])
{
    $validate_admin = check_admin_userid($context['user']['id']);
    $validate = check_sec_admin_userid($context['user']['id'],2);
    if(($validate == true) || ($validate_admin == true))
    {
        $content = $_REQUEST['body'];
        $content = mysql_escape_string($content);
        mysql_query("UPDATE news SET title='".$_GET['title']."', body='".$content."'  WHERE id=".$_GET['id']."");
    }
}

closeConnect();
?>

ziycon · #17 (**permalink**) 13-05-2008, 11:16 AM

Sorry to bring back the dead, this was never fixed and now that i have time, im trying to sort it out, its adding in a slash for every single or double quote in the text when adding a new item and editing pages.
I've tried absolutly everything with now joy, maybe someone out there has had this problem before....anyone??

louie · #18 (**permalink**) 13-05-2008, 11:24 AM

that is normal as you are using "mysql_escape_string"

try using stripslashes($str) when displaying or convert the text

PHP Code:

  function unhtmlentities ($string) {
  // Get HTML entities table
  $trans_tbl = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES);
  foreach($trans_tbl as $key => $value){
   $trans_tbl[$key] = "&#". ord($key) . ";";
  }
  $trans_tbl[chr(38)] = "&";
  return strtr($string,$trans_tbl);
  }