PHP Adding/Editing DB via FORMS

Advert test
#1
The situation is, im using a normal HTML in a PHP page, the problem is when i add text to the textarea and submit it to the DB and when i query it to show up on the next page the <br>(these tags are entered manually into the textarea before submitting) show up in the text and the &nbsp; characters show up also anything after a double quote is not stored into the DB, the field is defined as a text type!
Any help would be much appreciated as always.
 

CiaranR

Weeno Ltd + Skimlinks.com
#4
Not that im aware of, what exactly does it do, tried to make sense of it but couldn't!?
It escapes nasty charters in you sql statements. It's essential to stop mysql injection attacks.

Your insert code should look like this:

PHP:
$content = $_POST['content'];
$dbcontent = mysql_escape_string($content);
$sql="insert into some_table(msContent) values ('".$dbcontent."')";
$result = mysql_query($sql,$conn) or die("Fail");
 
#5
It escapes nasty charters in you sql statements. It's essential to stop mysql injection attacks.

Your insert code should look like this:

PHP:
$content = $_POST['content'];
$dbcontent = mysql_escape_string($content);
$sql="insert into some_table(msContent) values ('".$dbcontent."')";
$result = mysql_query($sql,$conn) or die("Fail");
No need to worry abouy sql injection attacks on the pages in questions, there secure enough already, so if i have something like so it should work?
PHP:
<?php
header("Location: ../news/1.htm");
include('../forum/SSI.php');

dbConnect();

global $context;

if($context['user']['is_logged'])
{
    $validate_admin = check_admin_userid($context['user']['id']);
    $validate = check_sec_admin_userid($context['user']['id'],2);
    if(($validate == true) || ($validate_admin == true))
    {
        $content = mysql_escape_string($_REQUEST['body']);        
        mysql_query("UPDATE news SET title='".$_GET['title']."', body='".$content."'  WHERE id=".$_GET['id']."");
    }
}

closeConnect();
?>
Tired this but the stripslashes function is not working when displaying the text now!?
 
#7
They should be fine, you have to be logged in and have admin right then to even view the pages!

I read something about putting '<br>' tags into textareas and then not being the right encoding type but i have the same thing setup on another site and it will accept these tags and double quotes etc no problem, cant seen to figure it out!?
 

CiaranR

Weeno Ltd + Skimlinks.com
#8
You shouldn't need the stripslashes function or the addslashes function when you are using mysql_escape_string function.
 
#10
Ok, still not working, if i add data directly to the DB is shows up fine but if i add it via a webpage or edit it via a webpage either slashes start showing up, everything after double quotes disappears or the html tags are converted from '<br> to '&lt;br&gt;'!
I'm not understanding this mysql_escape_string function, wheres it ment to go, before data enters the db or after or what does it even do, tried php.net but sometimes they word things difficult enough!?
 

CiaranR

Weeno Ltd + Skimlinks.com
#12
It escapes nasty charters in you sql statements. It's essential to stop mysql injection attacks.

Your insert code should look like this:

PHP:
$content = $_POST['content'];
$dbcontent = mysql_escape_string($content);
$sql="insert into some_table(msContent) values ('".$dbcontent."')";
$result = mysql_query($sql,$conn) or die("Fail");
It should go before your insert/update. It will turn this

Code:
insert into some_table(msContent) values ('This is some content with " in it and  ' in it and things like that')
into

Code:
insert into some_table(msContent) values ('This is some content with \" in it and  \' in it and things like that')
It sounds like you have other functions that are causing this problem, like the html_entities function that goergie mentions.
 
#13
weird the thing with the br tags. post more source code to have a look. is there any html_entities tag that might be doing this?
Nope now html tags, below is the full code for adding a news article.
PHP:
<?php
include('forum/SSI.php');

dbConnect();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title><?php if($context['user']['is_logged'])
            {
                $validate_admin = check_admin_userid($context['user']['id']);
                $validate = check_sec_admin_userid($context['user']['id'],2);
                if(($validate == true) || ($validate_admin == true))
                {
                    echo 'add article';
                }
                else
                {
                    echo 'error';
                }
            }
            else
            {
                echo 'error';
            }
            echo get_prop("site_title_name");?></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name='description' content="The IGaming Network is an Online Gaming Network. We bring you the latest news and gossip on the gaming scene.">
<meta name='keywords' content="ign,irish gaming network,games,ireland,eire,computer,console,psp,ps1,ps2,ps3,xbox,xbox 360,360,nintendo,sony,wii,ds,sega,lan,lans,gaming,consoles">
<meta name="verify-v1" content="2ZcOX3yYQeGDQ0iUCnvKkr0yPMcJxDA2Y+bnSCR90M0=">
<link href="sys_config/style.css" rel="stylesheet" type="text/css">
<link href="sys_config/app_style.css" rel="stylesheet" type="text/css">
<link rel="shortcut icon" type="image/ico" href="images/layout/igaming-network.ico">
<?php display_favicon(); ?>
<script type="text/javascript" src="../sys_config/jscripts/tiny_mce/tiny_mce.js"></script>
<script language="javascript" type="text/javascript">
tinyMCE.init({
    mode : "textareas",
    theme : "advanced",
    theme_advanced_buttons1 : "",
    theme_advanced_buttons2 : "",
    theme_advanced_buttons3 : "",
    theme_advanced_toolbar_location : "top",
    theme_advanced_toolbar_align : "left",
    extended_valid_elements : "a[name|href|target|title|onclick],img[class|src|border=0|alt|title|hspace|vspace|width|height|align|onmouseover|onmouseout|name],hr[class|width|size|noshade],font[face|size|color|style],span[class|align|style]"
});
</script>
<script language="javascript">
<!--
var submitted = 0;
function checkform() {
    if(document.add_article.title.value == '') {
        alert("Please enter an article title!");
        return false;
    }
    if(document.add_article.body_text.value == '') {
        alert("Please enter the body of the article!");
        return false;
    }
    if(document.add_article.image.value == '') {
        alert("Please select an article image!");
        return false;
    }
}
//-->
</script>

</head>
<?php site_header(); 
            if($context['user']['is_logged'])
            {
                $validate_admin = check_admin_userid($context['user']['id']);
                $validate = check_sec_admin_userid($context['user']['id'],2);
                if(($validate == true) || ($validate_admin == true))
                {
?>
            <div id="body_left">
                <div id="wrapper">
                    <div id="page_title">»&nbsp;add news</div>
                    <div id="body_wrapper">
                        <form name="add_article" method="post" action="addNews.php" enctype="multipart/form-data" onsubmit="return checkform();">
                <input type="hidden" name="table" value="'.$table.'">
                <div class="edit_item_wrapper"><div class="edit_item_name">Title:</div><div class="edit_item_detail"><input type="text" name="title" value="" size="50" class="form"></div></div>
                <div class="edit_item_wrapper">
                    <div class="edit_item_name">Body:</div>
                    <div class="edit_item_detail">
                        <textarea name="body_text" rows="40" cols="50"></textarea>    
                    </div>
                </div>    
                <div class="edit_item_wrapper">
                    <div class="edit_item_name">Image:</div>
                    <div class="edit_item_detail">
                        <input type="hidden" name="MAX_FILE_SIZE" value="100000">
                        <input type="file" name="image" size="50" maxlength="100" class="form"> Size: 130 x 78
                    </div>
                </div>
                <div class="edit_item_wrapper"><div class="edit_item_name"><input type="submit" value="Add Article" class="form">&nbsp;<input type="reset" value="Clear" class="form"></div></div>
            </form>
                    </div>
                </div>
            </div>
<?php
                }
            }
            else
            {
                error();
            }
site_footer();
closeConnect();
?>
addNews.php
PHP:
<?php
header("Location: ../news/1.htm");
include('../forum/SSI.php');

dbConnect();

global $context;

if($context['user']['is_logged'])
{
    $validate_admin = check_admin_userid($context['user']['id']);
    $validate = check_sec_admin_userid($context['user']['id'],2);
    if(($validate == true) || ($validate_admin == true))
    {
        $target_path = "../images/news/";
        $target_path = $target_path . basename($_FILES['image']['name']);
        
        if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
        {
            mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$_REQUEST['body_text']."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
        }
    }
}

closeConnect();
?>
 

CiaranR

Weeno Ltd + Skimlinks.com
#14
A) Have you tried turning TinyMCE off to make sure it's not doing it.

B) This is different code that the first piece you posted.

C) Change this:

PHP:
        if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
        {
            mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$_REQUEST['body_text']."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
        }
to
PHP:
        if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
        {
            $content = $_REQUEST['body_text'];
            $content = mysql_escape_string($content);
            mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$content."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
        }
 
#15
A) Have you tried turning TinyMCE off to make sure it's not doing it.

B) This is different code that the first piece you posted.

C) Change this:

PHP:
        if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
        {
            mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$_REQUEST['body_text']."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
        }
to
PHP:
        if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path))
        {
            $content = $_REQUEST['body_text'];
            $content = mysql_escape_string($content);
            mysql_query("INSERT INTO ".$_REQUEST['table']." VALUES (NULL,'".$_REQUEST['title']."','".$content."','".date("Y-m-d")."','".date("G:i:s")."','".basename($_FILES['image']['name'])."',1,'".$_SERVER['REMOTE_ADDR']."')");
        }
Same thing happens when i disable TinyMCE(never had a problem before with it) also that code snippet you suggested there, i've tried it and same thing still happens!
I feel like crying!:D
 
#16
Ok Frodo, that seems to work on adding a new article, but when i edit it the same old thing is happening, below is the update page:
PHP:
<?php
header("Location: ../news/1.htm");
include('../forum/SSI.php');

dbConnect();

global $context;

if($context['user']['is_logged'])
{
    $validate_admin = check_admin_userid($context['user']['id']);
    $validate = check_sec_admin_userid($context['user']['id'],2);
    if(($validate == true) || ($validate_admin == true))
    {
        $content = $_REQUEST['body'];
        $content = mysql_escape_string($content);
        mysql_query("UPDATE news SET title='".$_GET['title']."', body='".$content."'  WHERE id=".$_GET['id']."");
    }
}

closeConnect();
?>
 
#17
Sorry to bring back the dead, this was never fixed and now that i have time, im trying to sort it out, its adding in a slash for every single or double quote in the text when adding a new item and editing pages.
I've tried absolutly everything with now joy, maybe someone out there has had this problem before....anyone??:(
 
#18
that is normal as you are using "mysql_escape_string"

try using stripslashes($str) when displaying or convert the text
PHP:
function unhtmlentities ($string) {
  // Get HTML entities table
  $trans_tbl = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES);
  foreach($trans_tbl as $key => $value){
   $trans_tbl[$key] = "&#". ord($key) . ";";
  }
  $trans_tbl[chr(38)] = "&";
  return strtr($string,$trans_tbl);
  }
 
#19
Got this fixed, thanks louie, by using the strip slashes function!

One last issue now with this is, when i edit an article its shows up the <br> and when i update the article the <br> are displayed as text and all the formatting of the article is gone!?
 
Top