PHP Adding/Editing DB via FORMS

Discussion in 'Coding Help' started by ziycon, Mar 20, 2008.

  1. ziycon

    ziycon New Member

    The situation is, im using a normal HTML in a PHP page, the problem is when i add text to the textarea and submit it to the DB and when i query it to show up on the next page the <br>(these tags are entered manually into the textarea before submitting) show up in the text and the &nbsp; characters show up also anything after a double quote is not stored into the DB, the field is defined as a text type!
    Any help would be much appreciated as always.
     
  2. CiaranR

    CiaranR Weeno Ltd + Skimlinks.com

  3. ziycon

    ziycon New Member

    Not that im aware of, what exactly does it do, tried to make sense of it but couldn't!?
     
  4. CiaranR

    CiaranR Weeno Ltd + Skimlinks.com

    It escapes nasty charters in you sql statements. It's essential to stop mysql injection attacks.

    Your insert code should look like this:

    PHP:
    $content $_POST['content'];
    $dbcontent mysql_escape_string($content);
    $sql="insert into some_table(msContent) values ('".$dbcontent."')";
    $result mysql_query($sql,$conn) or die("Fail");
     
  5. ziycon

    ziycon New Member

    No need to worry abouy sql injection attacks on the pages in questions, there secure enough already, so if i have something like so it should work?
    PHP:
    <?php
    header
    ("Location: ../news/1.htm");
    include(
    '../forum/SSI.php');

    dbConnect();

    global 
    $context;

    if(
    $context['user']['is_logged'])
    {
        
    $validate_admin check_admin_userid($context['user']['id']);
        
    $validate check_sec_admin_userid($context['user']['id'],2);
        if((
    $validate == true) || ($validate_admin == true))
        {
            
    $content mysql_escape_string($_REQUEST['body']);        
            
    mysql_query("UPDATE news SET title='".$_GET['title']."', body='".$content."'  WHERE id=".$_GET['id']."");
        }
    }

    closeConnect();
    ?>
    Tired this but the stripslashes function is not working when displaying the text now!?
     
  6. Forbairt

    Forbairt Portfolio Building

    Famous last words :D
     
  7. ziycon

    ziycon New Member

    They should be fine, you have to be logged in and have admin right then to even view the pages!

    I read something about putting '<br>' tags into textareas and then not being the right encoding type but i have the same thing setup on another site and it will accept these tags and double quotes etc no problem, cant seen to figure it out!?
     
  8. CiaranR

    CiaranR Weeno Ltd + Skimlinks.com

    You shouldn't need the stripslashes function or the addslashes function when you are using mysql_escape_string function.
     
  9. ziycon

    ziycon New Member

    Ok, i'll have a look at it when i get home, thanks.
     
  10. ziycon

    ziycon New Member

    Ok, still not working, if i add data directly to the DB is shows up fine but if i add it via a webpage or edit it via a webpage either slashes start showing up, everything after double quotes disappears or the html tags are converted from '<br> to '&lt;br&gt;'!
    I'm not understanding this mysql_escape_string function, wheres it ment to go, before data enters the db or after or what does it even do, tried php.net but sometimes they word things difficult enough!?
     
  11. georgiecasey

    georgiecasey New Member

    weird the thing with the br tags. post more source code to have a look. is there any html_entities tag that might be doing this?
     
  12. CiaranR

    CiaranR Weeno Ltd + Skimlinks.com

    It should go before your insert/update. It will turn this

    Code:
    insert into some_table(msContent) values ('This is some content with " in it and  ' in it and things like that')
    into

    Code:
    insert into some_table(msContent) values ('This is some content with \" in it and  \' in it and things like that')
    It sounds like you have other functions that are causing this problem, like the html_entities function that goergie mentions.
     
  13. ziycon

    ziycon New Member

    Nope now html tags, below is the full code for adding a news article.
    PHP:
    <?php
    include('forum/SSI.php');

    dbConnect();
    ?>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <title><?php if($context['user']['is_logged'])
                {
                    
    $validate_admin check_admin_userid($context['user']['id']);
                    
    $validate check_sec_admin_userid($context['user']['id'],2);
                    if((
    $validate == true) || ($validate_admin == true))
                    {
                        echo 
    'add article';
                    }
                    else
                    {
                        echo 
    'error';
                    }
                }
                else
                {
                    echo 
    'error';
                }
                echo 
    get_prop("site_title_name");?></title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name='description' content="The IGaming Network is an Online Gaming Network. We bring you the latest news and gossip on the gaming scene.">
    <meta name='keywords' content="ign,irish gaming network,games,ireland,eire,computer,console,psp,ps1,ps2,ps3,xbox,xbox 360,360,nintendo,sony,wii,ds,sega,lan,lans,gaming,consoles">
    <meta name="verify-v1" content="2ZcOX3yYQeGDQ0iUCnvKkr0yPMcJxDA2Y+bnSCR90M0=">
    <link href="sys_config/style.css" rel="stylesheet" type="text/css">
    <link href="sys_config/app_style.css" rel="stylesheet" type="text/css">
    <link rel="shortcut icon" type="image/ico" href="images/layout/igaming-network.ico">
    <?php display_favicon(); ?>
    <script type="text/javascript" src="../sys_config/jscripts/tiny_mce/tiny_mce.js"></script>
    <script language="javascript" type="text/javascript">
    tinyMCE.init({
        mode : "textareas",
        theme : "advanced",
        theme_advanced_buttons1 : "",
        theme_advanced_buttons2 : "",
        theme_advanced_buttons3 : "",
        theme_advanced_toolbar_location : "top",
        theme_advanced_toolbar_align : "left",
        extended_valid_elements : "a[name|href|target|title|onclick],img[class|src|border=0|alt|title|hspace|vspace|width|height|align|onmouseover|onmouseout|name],hr[class|width|size|noshade],font[face|size|color|style],span[class|align|style]"
    });
    </script>
    <script language="javascript">
    <!--
    var submitted = 0;
    function checkform() {
        if(document.add_article.title.value == '') {
            alert("Please enter an article title!");
            return false;
        }
        if(document.add_article.body_text.value == '') {
            alert("Please enter the body of the article!");
            return false;
        }
        if(document.add_article.image.value == '') {
            alert("Please select an article image!");
            return false;
        }
    }
    //-->
    </script>

    </head>
    <?php site_header(); 
                if(
    $context['user']['is_logged'])
                {
                    
    $validate_admin check_admin_userid($context['user']['id']);
                    
    $validate check_sec_admin_userid($context['user']['id'],2);
                    if((
    $validate == true) || ($validate_admin == true))
                    {
    ?>
                <div id="body_left">
                    <div id="wrapper">
                        <div id="page_title">ยป&nbsp;add news</div>
                        <div id="body_wrapper">
                            <form name="add_article" method="post" action="addNews.php" enctype="multipart/form-data" onsubmit="return checkform();">
                    <input type="hidden" name="table" value="'.$table.'">
                    <div class="edit_item_wrapper"><div class="edit_item_name">Title:</div><div class="edit_item_detail"><input type="text" name="title" value="" size="50" class="form"></div></div>
                    <div class="edit_item_wrapper">
                        <div class="edit_item_name">Body:</div>
                        <div class="edit_item_detail">
                            <textarea name="body_text" rows="40" cols="50"></textarea>    
                        </div>
                    </div>    
                    <div class="edit_item_wrapper">
                        <div class="edit_item_name">Image:</div>
                        <div class="edit_item_detail">
                            <input type="hidden" name="MAX_FILE_SIZE" value="100000">
                            <input type="file" name="image" size="50" maxlength="100" class="form"> Size: 130 x 78
                        </div>
                    </div>
                    <div class="edit_item_wrapper"><div class="edit_item_name"><input type="submit" value="Add Article" class="form">&nbsp;<input type="reset" value="Clear" class="form"></div></div>
                </form>
                        </div>
                    </div>
                </div>
    <?php
                    
    }
                }
                else
                {
                    
    error();
                }
    site_footer();
    closeConnect();
    ?>
    addNews.php
    PHP:
    <?php
    header
    ("Location: ../news/1.htm");
    include(
    '../forum/SSI.php');

    dbConnect();

    global 
    $context;

    if(
    $context['user']['is_logged'])
    {
        
    $validate_admin check_admin_userid($context['user']['id']);
        
    $validate check_sec_admin_userid($context['user']['id'],2);
        if((
    $validate == true) || ($validate_admin == true))
        {
            
    $target_path "../images/news/";
            
    $target_path $target_path basename($_FILES['image']['name']);
            
            if(
    move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
            {
                
    mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$_REQUEST['body_text']."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
            }
        }
    }

    closeConnect();
    ?>
     
  14. CiaranR

    CiaranR Weeno Ltd + Skimlinks.com

    A) Have you tried turning TinyMCE off to make sure it's not doing it.

    B) This is different code that the first piece you posted.

    C) Change this:

    PHP:
            if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
            {
                
    mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$_REQUEST['body_text']."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
            }
    to
    PHP:
            if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
            {
                
    $content $_REQUEST['body_text'];
                
    $content mysql_escape_string($content);
                
    mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$content."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
            }
     
  15. ziycon

    ziycon New Member

    Same thing happens when i disable TinyMCE(never had a problem before with it) also that code snippet you suggested there, i've tried it and same thing still happens!
    I feel like crying!:D
     
  16. ziycon

    ziycon New Member

    Ok Frodo, that seems to work on adding a new article, but when i edit it the same old thing is happening, below is the update page:
    PHP:
    <?php
    header
    ("Location: ../news/1.htm");
    include(
    '../forum/SSI.php');

    dbConnect();

    global 
    $context;

    if(
    $context['user']['is_logged'])
    {
        
    $validate_admin check_admin_userid($context['user']['id']);
        
    $validate check_sec_admin_userid($context['user']['id'],2);
        if((
    $validate == true) || ($validate_admin == true))
        {
            
    $content $_REQUEST['body'];
            
    $content mysql_escape_string($content);
            
    mysql_query("UPDATE news SET title='".$_GET['title']."', body='".$content."'  WHERE id=".$_GET['id']."");
        }
    }

    closeConnect();
    ?>
     
  17. ziycon

    ziycon New Member

    Sorry to bring back the dead, this was never fixed and now that i have time, im trying to sort it out, its adding in a slash for every single or double quote in the text when adding a new item and editing pages.
    I've tried absolutly everything with now joy, maybe someone out there has had this problem before....anyone??:(
     
  18. louie

    louie New Member

    that is normal as you are using "mysql_escape_string"

    try using stripslashes($str) when displaying or convert the text
    PHP:
    function unhtmlentities ($string) {
      
    // Get HTML entities table
      
    $trans_tbl get_html_translation_table (HTML_ENTITIESENT_QUOTES);
      foreach(
    $trans_tbl as $key => $value){
       
    $trans_tbl[$key] = "&#"ord($key) . ";";
      }
      
    $trans_tbl[chr(38)] = "&";
      return 
    strtr($string,$trans_tbl);
      }
     
  19. ziycon

    ziycon New Member

    Got this fixed, thanks louie, by using the strip slashes function!

    One last issue now with this is, when i edit an article its shows up the <br> and when i update the article the <br> are displayed as text and all the formatting of the article is gone!?
     
  20. louie

    louie New Member

    on the display page try to convert the chr(10) and chr(13) to <br /> tags
    PHP:
    echo str_replace(chr(13),"<br />",$string);
     

Share This Page