Jump to content

[SOLVED] Reading img path files and object paths and other html tags from db

guestabc

By guestabc
in PHP Coding Help

 Share

Recommended Posts

guestabc Member

guestabc

Posted
Posted

Hi i'm trying to create a blog for my administrators of my website. I've been able to insert to the database and read the blog back out. Also i can put line breaks in the form and insert this to the database and then read it back out and the blog appears as i wanted it to. However my problem comes when i try to insert a img path to a web address or embed an object from a website such as youtube. i've tried html_entity_decode()  with no success.

guestabc Member

guestabc

Posted
  • Author
Posted

Sorry, below is the code to insert and then read the data back out from the database

 

to insert to the db

$blogtitle = htmlspecialchars($_POST['BlogTitle'], ENT_QUOTES);
//$blog = htmlspecialchars($_POST['Blog'], ENT_QUOTES);
$blog = ($_POST['Blog']);  
$sdate = date("Y-m-d");
$errorhandler = False;
if ($blogtitle == '')
{
	print "<h6>Please enter a blog title</h6><br/>";
	$errorhandler = True;
} 
if ($blog == '')
{
	print "<h6>Your blog cannot be blank</h6><br/>";
	$errorhandler = True;
} 


if ($errorhandler == False)
{

$sSQLINS=	"INSERT into tblBlog 
	(sUsername, sBlogTitle, sBlog, sDate) 
VALUES 
	('$uname','$blogtitle','$blog','$sdate');";

 

 

reading the data from the db.

 

Note $sBlog is the variable that stores the main content of the blog and this is where i am storing the object tags etc.

 

while (!$rsBlog->EOF)
{
$sBlogTitle = $rsBlog->Fields("sBlogTitle")->value;
$sBlog= html_entity_decode($rsBlog->Fields("sBlog")->value);
$sDate = $rsBlog->Fields("sDate")->value;



print "<br/><h4>$sBlogTitle</h4>";
print "<p><b>Date Uploaded:</b> $sDate</p>";
print "<p>$sBlog</p>";
print "<div id='line'></div>";
$rsBlog->MoveNext();
}

MadTechie Regular Member

MadTechie

Posted
Posted

I noted your NOT encoding it as HTML (its been commented out, see below),

thus theirs no need to decode it..

   //$blog = htmlspecialchars($_POST['Blog'], ENT_QUOTES);
   $blog = ($_POST['Blog']); 

 

 

Try something like this

<?php
//$blogtitle = htmlspecialchars($_POST['BlogTitle'], ENT_QUOTES);
//$blog = htmlspecialchars($_POST['Blog'], ENT_QUOTES);

if(get_magic_quotes_gpc())
{
$blogtitle = stripslashes($_POST['BlogTitle']);
$blog = stripslashes($_POST['Blog']);
} else {
$blogtitle = $_POST['BlogTitle'];
$blog = $_POST['Blog'];
}

$sdate = date("Y-m-d");
$errorhandler = False;
if ($blogtitle == '')
{
print "<h6>Please enter a blog title</h6><br/>";
$errorhandler = True;
}
if ($blog == '')
{
print "<h6>Your blog cannot be blank</h6><br/>";
$errorhandler = True;
}


if ($errorhandler == False)
{
//STOP SQL INJECTION
$sSQLINS= sprintf("INSERT into tblBlog (sUsername, sBlogTitle, sBlog, sDate)
	VALUES ('%s','%s','%s','%s');",
mysql_real_escape_string($uname), 
mysql_real_escape_string($blogtitle), 
mysql_real_escape_string($blog), 
mysql_real_escape_string($sdate)
);
}





//Read Back
while (!$rsBlog->EOF)
{
$sBlogTitle = $rsBlog->Fields("sBlogTitle")->value;
$sBlog= $rsBlog->Fields("sBlog")->value;
$sDate = $rsBlog->Fields("sDate")->value;

//Stop HTML INJECTION
$sBlogTitle = htmlspecialchars($sBlogTitle);
#$sBlog = htmlspecialchars($sBlog); //allow for this one for now!

print "<br/><h4>$sBlogTitle</h4>";
print "<p><b>Date Uploaded:</b> $sDate</p>";
print "<p>$sBlog</p>";
print "<div id='line'></div>";
$rsBlog->MoveNext();
}
?>

 

EDIT: Oh yeah..

are you sure the class your using for DB access ($rsBlog) isn't sanitizing it?

guestabc Member

guestabc

Posted
  • Author
Posted

I have made the changes as suggested

 

<?php
//$blogtitle = htmlspecialchars($_POST['BlogTitle'], ENT_QUOTES);
//$blog = htmlspecialchars($_POST['Blog'], ENT_QUOTES);

if(get_magic_quotes_gpc())
{
$blogtitle = stripslashes($_POST['BlogTitle']);
$blog = stripslashes($_POST['Blog']);
} else {
$blogtitle = $_POST['BlogTitle'];
$blog = $_POST['Blog'];
}

$sdate = date("Y-m-d");
$errorhandler = False;
if ($blogtitle == '')
{
print "<h6>Please enter a blog title</h6><br/>";
$errorhandler = True;
}
if ($blog == '')
{
print "<h6>Your blog cannot be blank</h6><br/>";
$errorhandler = True;
}


if ($errorhandler == False)
{
//STOP SQL INJECTION
$sSQLINS= sprintf("INSERT into tblBlog (sUsername, sBlogTitle, sBlog, sDate)
	VALUES ('%s','%s','%s','%s');",
mysql_real_escape_string($uname), 
mysql_real_escape_string($blogtitle), 
mysql_real_escape_string($blog), 
mysql_real_escape_string($sdate)
);
}





//Read Back
while (!$rsBlog->EOF)
{
$sBlogTitle = $rsBlog->Fields("sBlogTitle")->value;
$sBlog= $rsBlog->Fields("sBlog")->value;
$sDate = $rsBlog->Fields("sDate")->value;

//Stop HTML INJECTION
$sBlogTitle = htmlspecialchars($sBlogTitle);
#$sBlog = htmlspecialchars($sBlog); //allow for this one for now!

print "<br/><h4>$sBlogTitle</h4>";
print "<p><b>Date Uploaded:</b> $sDate</p>";
print "<p>$sBlog</p>";
print "<div id='line'></div>";
$rsBlog->MoveNext();
}
?>

 

however my page still isn't outputting any images or embedded objects. totally stumped on this one! can't find anything anywhere to suggest what it could be.

MadTechie Regular Member

MadTechie

Posted
Posted

Okay is the page live? (that i can see it, PM if needed)

if not can you view source and post the part that should be the image link

if it appears as 

&lt;img src=

then the class it sanitizing it

woudl help if i could see even a saved html would help

guestabc Member

guestabc

Posted
  • Author
Posted

sorry its not live but this is the code when i go to view source.

 

<h4>bvbvb</h4><p><b>Date Uploaded:</b> 23/12/2008</p><p><object width=\"425\" height=\"344\"><param name=\"movie\" value=\"http://www.youtube.com/v/SFrzsUtudpg&hl=en&fs=1\"></param><param name=\"allowFullScreen\" value=\"true\"></param><param name=\"allowscriptaccess\" value=\"always\"></param><embed src=\"http://www.youtube.com/v/SFrzsUtudpg&hl=en&fs=1\" type=\"application/x-shockwave-flash\" allowscriptaccess=\"always\" allowfullscreen=\"true\" width=\"425\" height=\"344\"></embed></object></p><div id='line'></div><br/><h4>test</h4><p><b>Date Uploaded:</b> 23/12/2008</p><p><object width=\"425\" height=\"344\"><param name=\"movie\" value=\"http://www.youtube.com/v/SFrzsUtudpg&hl=en&fs=1\"></param><param name=\"allowFullScreen\" value=\"true\"></param><param name=\"allowscriptaccess\" value=\"always\"></param><embed src=\"http://www.youtube.com/v/SFrzsUtudpg&hl=en&fs=1\" type=\"application/x-shockwave-flash\" allowscriptaccess=\"always\" allowfullscreen=\"true\" width=\"425\" height=\"344\"></embed></object>

guestabc Member

guestabc

Posted
  • Author
Posted

just read your update

Oh yeah..

are you sure the class your using for DB access ($rsBlog) isn't sanitizing it?

 

not really sure to be honest this is how im declaring $rsBlog

 

<?php
// SQL statement to select all the data from the products table in the database
$sSQLQUERY =	"SELECT * FROM tblBlog WHERE sUsername='$sTipster' ORDER BY sDate DESC;";
// Searches the database
$rsBlog = $adoConnection->Execute( $sSQLQUERY );
?>

MadTechie Regular Member

MadTechie

Posted
Posted

Okay well i don't like your the class but i think i have a fix

 

i noted this in the source

<object width=\"425\" height=\"344\">

 

the \" are wrong thats normally fixed by the if(get_magic_quotes_gpc()) part of my code but i guess the class it using addslashes..

Sooooo

try this (stripslahses)

 

<?php
//Read Back
while (!$rsBlog->EOF)
{
   $sBlogTitle = $rsBlog->Fields("sBlogTitle")->value;
   $sBlog= $rsBlog->Fields("sBlog")->value;
   $sDate = $rsBlog->Fields("sDate")->value;
   
   //Stop HTML INJECTION
   $sBlogTitle = htmlspecialchars(stripslashes($sBlogTitle)); //Updated
   $sBlog = stripslashes($sBlog); //Added
   #$sBlog = htmlspecialchars($sBlog); //allow for this one for now!
   
   print "<br/><h4>$sBlogTitle</h4>";
   print "<p><b>Date Uploaded:</b> $sDate</p>";
   print "<p>$sBlog</p>";
   print "<div id='line'></div>";
   $rsBlog->MoveNext();
}
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.