dropfaith Posted October 11, 2008 Share Posted October 11, 2008 So im writing a script to submit storyies to my site and clearly dont want users to submit html tags or xss attacks but i want new lines to auto imput the <br /> tags i thought the below might work but all it does is escape the br tag as well <?php // validate text input fields $cTitle = mysql_escape_string($_POST['Title']); $cGenre = mysql_escape_string($_POST['Genre']); $cDate = mysql_escape_string($_POST['Date']); $fArticle = str_replace("\n","<br/>",$_POST['Article']); $cAuthor = mysql_escape_string($_POST['Author']); $cloginid = mysql_escape_string($_POST['loginid']); $formArticle = mysql_escape_string($fArticle); $Title = htmlentities($cTitle,ENT_QUOTES,"utf-8"); $Genre = htmlentities($cGenre,ENT_QUOTES,"utf-8"); $Date = htmlentities($cDate,ENT_QUOTES,"utf-8"); $Article = htmlentities($formArticle,ENT_QUOTES,"utf-8"); $Author = htmlentities($cAuthor,ENT_QUOTES,"utf-8"); $loginid = htmlentities($cloginid,ENT_QUOTES,"utf-8"); ?> Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 11, 2008 Share Posted October 11, 2008 <?php // validate text input fields $cTitle = mysql_escape_string($_POST['Title']); $cGenre = mysql_escape_string($_POST['Genre']); $cDate = mysql_escape_string($_POST['Date']); $farticle =n12br($_POST['Article']); // allows the <br /> tag $cAuthor = mysql_escape_string($_POST['Author']); $cloginid = mysql_escape_string($_POST['loginid']); $formArticle = mysql_escape_string($fArticle); $Title = htmlentities($cTitle,ENT_QUOTES,"utf-8"); $Genre = htmlentities($cGenre,ENT_QUOTES,"utf-8"); $Date = htmlentities($cDate,ENT_QUOTES,"utf-8"); $Article = htmlentities($formArticle,ENT_QUOTES,"utf-8"); $Author = htmlentities($cAuthor,ENT_QUOTES,"utf-8"); $loginid = htmlentities($cloginid,ENT_QUOTES,"utf-8"); ?> Quote Link to comment Share on other sites More sharing options...
dropfaith Posted October 11, 2008 Author Share Posted October 11, 2008 that wouldnt submit to my db its not making an error tho its just not generating code past a certain lin hard to explain http://www.lawrenceguide.org/user/addstory.php username and pass are both phpfreaks submit a few articles and you will see what i mean <?php $cTitle = mysql_escape_string($_POST['Title']); $cGenre = mysql_escape_string($_POST['Genre']); $cDate = mysql_escape_string($_POST['Date']); $farticle =n12br($_POST['Article']); // allows the <br /> tag $cAuthor = mysql_escape_string($_POST['Author']); $cloginid = mysql_escape_string($_POST['loginid']); $formArticle = mysql_escape_string($fArticle); $Title = htmlentities($cTitle,ENT_QUOTES,"utf-8"); $Genre = htmlentities($cGenre,ENT_QUOTES,"utf-8"); $Date = htmlentities($cDate,ENT_QUOTES,"utf-8"); $Article = htmlentities($formArticle,ENT_QUOTES,"utf-8"); $Author = htmlentities($cAuthor,ENT_QUOTES,"utf-8"); $loginid = htmlentities($cloginid,ENT_QUOTES,"utf-8"); // check for errors // if none found... if (sizeof($errorList) == 0) { // open database connection $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); // select database mysql_select_db($db) or die ("Unable to select database!"); // generate and execute query $query = "INSERT INTO story (Title, Genre, Article, Date, Author, loginid) VALUES('$Title','$Genre','$Article','$Date','$Author','$loginid')"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // print result echo "<p>Update successful.<a href=index.php>Go Home</a>.<br /> <a href=addstory.php>Add Another</p>"; // close database connection mysql_close($connection); } else { // errors found // print as list echo "<font size=-1>The following errors were encountered: <br>"; echo "<ul>"; for ($x=0; $x<sizeof($errorList); $x++) { echo "<li>$errorList[$x]"; } echo "</ul></font>"; } } ?> Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 11, 2008 Share Posted October 11, 2008 you have an extra close bracket on the end take one off should work Quote Link to comment Share on other sites More sharing options...
dropfaith Posted October 11, 2008 Author Share Posted October 11, 2008 Parse error: syntax error, unexpected $end in /home/www/lawrenceguide.org/www/user/addstory.php on line 300 line 300 being the end of the entire page so that wasnt it Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 11, 2008 Share Posted October 11, 2008 paste the entire file please. there may be an error somewhere else your not showing me Quote Link to comment Share on other sites More sharing options...
dropfaith Posted October 11, 2008 Author Share Posted October 11, 2008 Allows it to submit just fine just doesnt do the auto insert or br /< tags on a new line <?php // validate text input fields $cTitle = mysql_escape_string($_POST['Title']); $cGenre = mysql_escape_string($_POST['Genre']); $cDate = mysql_escape_string($_POST['Date']); $farticle =n12br($_POST['Article']); // allows the <br /> tag $cAuthor = mysql_escape_string($_POST['Author']); $cloginid = mysql_escape_string($_POST['loginid']); $formArticle = mysql_escape_string($fArticle); $Title = htmlentities($cTitle,ENT_QUOTES,"utf-8"); $Genre = htmlentities($cGenre,ENT_QUOTES,"utf-8"); $Date = htmlentities($cDate,ENT_QUOTES,"utf-8"); $Article = htmlentities($formArticle,ENT_QUOTES,"utf-8"); $Author = htmlentities($cAuthor,ENT_QUOTES,"utf-8"); $loginid = htmlentities($cloginid,ENT_QUOTES,"utf-8"); ?> ENTIRE FILE <?php session_start(); ?><html> <head> <SCRIPT TYPE="text/javascript"> <!-- function popup(mylink, windowname) { if (! window.focus)return true; var href; if (typeof(mylink) == 'string') href=mylink; else href=mylink.href; window.open(href, windowname, 'width=400,height=500,scrollbars=yes'); return false; } //--> </SCRIPT> <?php include("../template/meta.html"); ?> </head> <body> <div class="contain"> <!-- start Header --> <div class="header"></div> <!-- End Header Start TopNav --> <div id="listmenu"> <?php include("../template/topnav.html"); ?> </div> <div class="clear"></div> <!-- End Top Nav Start left Side Nav --> <div class="nav"> <?php require_once "header.php"; //content include "login.php"; // more content ?> </div> <!-- End left Side Nav Start Ad Conent Right Side--> <div class="ad"> <?php include("../template/ads.html"); ?> </div> <!--End Ad Right Side Start Center Main Conent --> <div class="admincontent"> <!-- page header - snip --> <?php // form not yet submitted // display initial form if (!isset($_POST['submit'])) { ?> <fieldset> <legend>Add Story</legend> <form action="<? echo $_SERVER['PHP_SELF']; ?>" method="POST"> <?php $u = $_SESSION['username']; $uid = $_SESSION['loginid']; $query = "SELECT * FROM login WHERE loginid = '$uid'"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // if records present if (mysql_num_rows($result) > 0) { // iterate through resultset // print article titles while($row = mysql_fetch_object($result)) { ?> <input type=hidden name="Author" value="<? echo $row->username; ?>"> <input type=hidden name="loginid" value="<? echo $row->loginid; ?>"> <?php } } // if no records present // display message else { ?> <?php } // close database connection mysql_close($connection); ?> <p> <label>Title</label> <input type=text name="Title" size="28"> </p> <p> <label>Date: </label> <input type="text" name="Date" size="28" value="<?php $today = date("F j, Y"); PRINT "$today"; ?>" /><br /> </p> <p><label>Genre</label> <select name="Genre"> <?php $query = "SELECT * FROM genre"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // if records present if (mysql_num_rows($result) > 0) { // iterate through resultset // print article titles while($row = mysql_fetch_object($result)) { ?> <option value="<? echo $row->Genre; ?>"><? echo $row->Genre; ?> <?php } } // if no records present // display message else { ?> <?php } // close database connection mysql_close($connection); ?></select><a style="font-weight:bold;" href="gpop.php" onClick="return popup(this, 'Events')" title="Opens in pop up">Add Type</a> <p> <label>Article</label></p> <p> <textarea name="Article" cols="46" rows="15"></textarea> </p> <input type="Submit" name="submit" value="Add"> </form> </fieldset> <?php } else { // includes include("../template/conf.php"); // set up error list array $errorList = array(); $count = 0; // validate text input fields // validate text input fields $cTitle = mysql_escape_string($_POST['Title']); $cGenre = mysql_escape_string($_POST['Genre']); $cDate = mysql_escape_string($_POST['Date']); $farticle =n12br($_POST['Article']); // allows the <br /> tag $cAuthor = mysql_escape_string($_POST['Author']); $cloginid = mysql_escape_string($_POST['loginid']); $formArticle = mysql_escape_string($fArticle); $Title = htmlentities($cTitle,ENT_QUOTES,"utf-8"); $Genre = htmlentities($cGenre,ENT_QUOTES,"utf-8"); $Date = htmlentities($cDate,ENT_QUOTES,"utf-8"); $Article = htmlentities($formArticle,ENT_QUOTES,"utf-8"); $Author = htmlentities($cAuthor,ENT_QUOTES,"utf-8"); $loginid = htmlentities($cloginid,ENT_QUOTES,"utf-8"); // check for errors // if none found... if (sizeof($errorList) == 0) { // open database connection $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); // select database mysql_select_db($db) or die ("Unable to select database!"); // generate and execute query $query = "INSERT INTO story (Title, Genre, Article, Date, Author, loginid) VALUES('$Title','$Genre','$Article','$Date','$Author','$loginid')"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // print result echo "<p>Update successful.<a href=index.php>Go Home</a>.<br /> <a href=addstory.php>Add Another</p>"; // close database connection mysql_close($connection); } else { // errors found // print as list echo "<font size=-1>The following errors were encountered: <br>"; echo "<ul>"; for ($x=0; $x<sizeof($errorList); $x++) { echo "<li>$errorList[$x]"; } echo "</ul></font>"; } } ?> </div> <!-- End Center Main Conent --> <div class="clear"></div> <!-- footer --> <div class="footer"> <?php include("../template/footer.html"); ?> </div> <!--end footer --> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 11, 2008 Share Posted October 11, 2008 i don't see any major errors so far post the following line tell me all the errors that pop up: <?php ini_set('error_reporting',E_ALL);?> Quote Link to comment Share on other sites More sharing options...
dropfaith Posted October 11, 2008 Author Share Posted October 11, 2008 there wasnt any its not submitting something properly its odd this wont submit at all and messes with the layout on the return page <?php session_start(); ?><html> <head> <SCRIPT TYPE="text/javascript"> <!-- function popup(mylink, windowname) { if (! window.focus)return true; var href; if (typeof(mylink) == 'string') href=mylink; else href=mylink.href; window.open(href, windowname, 'width=400,height=500,scrollbars=yes'); return false; } //--> </SCRIPT> <?php include("../template/meta.html"); ?> </head> <body> <div class="contain"> <!-- start Header --> <div class="header"></div> <!-- End Header Start TopNav --> <div id="listmenu"> <?php include("../template/topnav.html"); ?> </div> <div class="clear"></div> <!-- End Top Nav Start left Side Nav --> <div class="nav"> <?php require_once "header.php"; //content include "login.php"; // more content ?> </div> <!-- End left Side Nav Start Ad Conent Right Side--> <div class="ad"> <?php include("../template/ads.html"); ?> </div> <!--End Ad Right Side Start Center Main Conent --> <div class="admincontent"> <!-- page header - snip --> <? // form not yet submitted // display initial form if (!isset($_POST['submit'])) { ?> <fieldset> <legend>Add Story</legend> <form action="<? echo $_SERVER['PHP_SELF']; ?>" method="POST"> <?php $u = $_SESSION['username']; $uid = $_SESSION['loginid']; $query = "SELECT * FROM login WHERE loginid = '$uid'"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // if records present if (mysql_num_rows($result) > 0) { // iterate through resultset // print article titles while($row = mysql_fetch_object($result)) { ?> <input type=hidden name="Author" value="<? echo $row->username; ?>"> <input type=hidden name="loginid" value="<? echo $row->loginid; ?>"> <? } } // if no records present // display message else { ?> <? } // close database connection mysql_close($connection); ?> <p> <label>Title</label> <input type=text name="Title" size="28"> </p> <p> <label>Date: </label> <input type="text" name="Date" size="28" value="<?php $today = date("F j, Y"); PRINT "$today"; ?>" /><br /> </p> <p><label>Genre</label> <select name="Genre"> <?php $query = "SELECT * FROM genre"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // if records present if (mysql_num_rows($result) > 0) { // iterate through resultset // print article titles while($row = mysql_fetch_object($result)) { ?> <option value="<? echo $row->Genre; ?>"><? echo $row->Genre; ?> <? } } // if no records present // display message else { ?> <? } // close database connection mysql_close($connection); ?></select><a style="font-weight:bold;" href="gpop.php" onClick="return popup(this, 'Events')" title="Opens in pop up">Add Type</a> <p> <label>Article</label></p> <p> <textarea name="Article" cols="46" rows="15"></textarea> </p> <input type="Submit" name="submit" value="Add"> </form> </fieldset> <? } else { // includes include("../template/conf.php"); // set up error list array $errorList = array(); $count = 0; // validate text input fields // validate text input fields $cTitle = mysql_escape_string($_POST['Title']); $cGenre = mysql_escape_string($_POST['Genre']); $cDate = mysql_escape_string($_POST['Date']); $farticle =n12br($_POST['Article']); // allows the <br /> tag $cAuthor = mysql_escape_string($_POST['Author']); $cloginid = mysql_escape_string($_POST['loginid']); $formArticle = mysql_escape_string($fArticle); $Title = htmlentities($cTitle,ENT_QUOTES,"utf-8"); $Genre = htmlentities($cGenre,ENT_QUOTES,"utf-8"); $Date = htmlentities($cDate,ENT_QUOTES,"utf-8"); $Article = htmlentities($formArticle,ENT_QUOTES,"utf-8"); $Author = htmlentities($cAuthor,ENT_QUOTES,"utf-8"); $loginid = htmlentities($cloginid,ENT_QUOTES,"utf-8"); // check for errors // if none found... if (sizeof($errorList) == 0) { // open database connection $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); // select database mysql_select_db($db) or die ("Unable to select database!"); // generate and execute query $query = "INSERT INTO story (Title, Genre, Article, Date, Author, loginid) VALUES('$Title','$Genre','$Article','$Date','$Author','$loginid')"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // print result echo "<p>Update successful.<a href=index.php>Go Home</a>.<br /> <a href=addstory.php>Add Another</p>"; // close database connection mysql_close($connection); } else { // errors found // print as list echo "<font size=-1>The following errors were encountered: <br>"; echo "<ul>"; for ($x=0; $x<sizeof($errorList); $x++) { echo "<li>$errorList[$x]"; } echo "</ul></font>"; } } ?> </div> <!-- End Center Main Conent --> <div class="clear"></div> <!-- footer --> <div class="footer"> <?php include("../template/footer.html"); ?> </div> <!--end footer --> </div> </body> </html> this submits stories just fine just doesnt do the <br /> as it escapes them <?php session_start(); ?><html> <head> <SCRIPT TYPE="text/javascript"> <!-- function popup(mylink, windowname) { if (! window.focus)return true; var href; if (typeof(mylink) == 'string') href=mylink; else href=mylink.href; window.open(href, windowname, 'width=400,height=500,scrollbars=yes'); return false; } //--> </SCRIPT> <?php include("../template/meta.html"); ?> </head> <body> <div class="contain"> <!-- start Header --> <div class="header"></div> <!-- End Header Start TopNav --> <div id="listmenu"> <?php include("../template/topnav.html"); ?> </div> <div class="clear"></div> <!-- End Top Nav Start left Side Nav --> <div class="nav"> <?php require_once "header.php"; //content include "login.php"; // more content ?> </div> <!-- End left Side Nav Start Ad Conent Right Side--> <div class="ad"> <?php include("../template/ads.html"); ?> </div> <!--End Ad Right Side Start Center Main Conent --> <div class="admincontent"> <!-- page header - snip --> <? // form not yet submitted // display initial form if (!isset($_POST['submit'])) { ?> <fieldset> <legend>Add Story</legend> <form action="<? echo $_SERVER['PHP_SELF']; ?>" method="POST"> <?php $u = $_SESSION['username']; $uid = $_SESSION['loginid']; $query = "SELECT * FROM login WHERE loginid = '$uid'"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // if records present if (mysql_num_rows($result) > 0) { // iterate through resultset // print article titles while($row = mysql_fetch_object($result)) { ?> <input type=hidden name="Author" value="<? echo $row->username; ?>"> <input type=hidden name="loginid" value="<? echo $row->loginid; ?>"> <? } } // if no records present // display message else { ?> <? } // close database connection mysql_close($connection); ?> <p> <label>Title</label> <input type=text name="Title" size="28"> </p> <p> <label>Date: </label> <input type="text" name="Date" size="28" value="<?php $today = date("F j, Y"); PRINT "$today"; ?>" /><br /> </p> <p><label>Genre</label> <select name="Genre"> <?php $query = "SELECT * FROM genre"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // if records present if (mysql_num_rows($result) > 0) { // iterate through resultset // print article titles while($row = mysql_fetch_object($result)) { ?> <option value="<? echo $row->Genre; ?>"><? echo $row->Genre; ?> <? } } // if no records present // display message else { ?> <? } // close database connection mysql_close($connection); ?></select><a style="font-weight:bold;" href="gpop.php" onClick="return popup(this, 'Events')" title="Opens in pop up">Add Type</a> <p> <label>Article</label></p> <p> <textarea name="Article" cols="46" rows="15"></textarea> </p> <input type="Submit" name="submit" value="Add"> </form> </fieldset> <? } else { // includes include("../template/conf.php"); // set up error list array $errorList = array(); $count = 0; // validate text input fields // validate text input fields $cTitle = mysql_escape_string($_POST['Title']); $cGenre = mysql_escape_string($_POST['Genre']); $cDate = mysql_escape_string($_POST['Date']); $fArticle = str_replace("\n","<br/>",$_POST['Article']); $cAuthor = mysql_escape_string($_POST['Author']); $cloginid = mysql_escape_string($_POST['loginid']); $formArticle = mysql_escape_string($fArticle); $Title = htmlentities($cTitle,ENT_QUOTES,"utf-8"); $Genre = htmlentities($cGenre,ENT_QUOTES,"utf-8"); $Date = htmlentities($cDate,ENT_QUOTES,"utf-8"); $Article = htmlentities($formArticle,ENT_QUOTES,"utf-8"); $Author = htmlentities($cAuthor,ENT_QUOTES,"utf-8"); $loginid = htmlentities($cloginid,ENT_QUOTES,"utf-8"); // check for errors // if none found... if (sizeof($errorList) == 0) { // open database connection $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); // select database mysql_select_db($db) or die ("Unable to select database!"); // generate and execute query $query = "INSERT INTO story (Title, Genre, Article, Date, Author, loginid) VALUES('$Title','$Genre','$Article','$Date','$Author','$loginid')"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // print result echo "<p>Update successful.<a href=index.php>Go Home</a>.<br /> <a href=addstory.php>Add Another</p>"; // close database connection mysql_close($connection); } else { // errors found // print as list echo "<font size=-1>The following errors were encountered: <br>"; echo "<ul>"; for ($x=0; $x<sizeof($errorList); $x++) { echo "<li>$errorList[$x]"; } echo "</ul></font>"; } } ?> </div> <!-- End Center Main Conent --> <div class="clear"></div> <!-- footer --> <div class="footer"> <?php include("../template/footer.html"); ?> </div> <!--end footer --> </div> </body> </html> the only code thats different is $cTitle = mysql_escape_string($_POST['Title']); $cGenre = mysql_escape_string($_POST['Genre']); $cDate = mysql_escape_string($_POST['Date']); $fArticle = str_replace("\n","<br/>",$_POST['Article']); $cAuthor = mysql_escape_string($_POST['Author']); $cloginid = mysql_escape_string($_POST['loginid']); $formArticle = mysql_escape_string($fArticle); $Title = htmlentities($cTitle,ENT_QUOTES,"utf-8"); $Genre = htmlentities($cGenre,ENT_QUOTES,"utf-8"); $Date = htmlentities($cDate,ENT_QUOTES,"utf-8"); $Article = htmlentities($formArticle,ENT_QUOTES,"utf-8"); $Author = htmlentities($cAuthor,ENT_QUOTES,"utf-8"); $loginid = htmlentities($cloginid,ENT_QUOTES,"utf-8"); Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 11, 2008 Share Posted October 11, 2008 escape them how? please show me what it is outputting thanks. Quote Link to comment Share on other sites More sharing options...
dropfaith Posted October 11, 2008 Author Share Posted October 11, 2008 http://www.lawrenceguide.org/literature/article.php?Id=21 is what was submiting each new line inserts <br /> <MARQUEE> Hi There! <IMG SRC="graphics/idocs.gif" HEIGHT=33 WIDTH=82 ALT="Idocs Guide to HTML"> </MARQUEE> <MARQUEE> Hi There! <IMG SRC="graphics/idocs.gif" HEIGHT=33 WIDTH=82 ALT="Idocs Guide to HTML"> </MARQUEE> <MARQUEE> Hi There! <IMG SRC="graphics/idocs.gif" HEIGHT=33 WIDTH=82 ALT="Idocs Guide to HTML"> </MARQUEE> Database shows this <MARQUEE> <br/>Hi There! <IMG SRC=\"graphics/idocs.gif\" HEIGHT=33 WIDTH=82 ALT=\"Idocs Guide to HTML\"> <br/></MARQUEE> <br/> <br/> <br/><MARQUEE> <br/>Hi There! <IMG SRC=\"graphics/idocs.gif\" HEIGHT=33 WIDTH=82 ALT=\"Idocs Guide to HTML\"> <br/></MARQUEE> <br/> Quote Link to comment Share on other sites More sharing options...
DarkWater Posted October 11, 2008 Share Posted October 11, 2008 You only want to use nl2br() when outputting, not inserting into the database. Try that. Quote Link to comment Share on other sites More sharing options...
dropfaith Posted October 11, 2008 Author Share Posted October 11, 2008 thank you Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 11, 2008 Share Posted October 11, 2008 yeah it will appear in the database as it's html entity equivalent try doing something like <?php echo n12br($output);?> Quote Link to comment Share on other sites More sharing options...
dropfaith Posted October 11, 2008 Author Share Posted October 11, 2008 odd that works without $fArticle = str_replace("\n","<br/>",$_POST['Article']); Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 11, 2008 Share Posted October 11, 2008 that is because in the DB it is submiting as it's html entity then when you output with n12br it converts back into break Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.