[SOLVED] mysql and screwy hyperlinks

[Lambneck]

I have a problem with selecting hyperlinks from mysql. How come when someone submits info containing a hyperlink to my database and then when that info(link) is selected and displayed onto a page it doesnt take me to the site in their link but to something like the following url:

 

http://mysite.com/"http://their-hyperlink.com/"

 

 

???

 

 

[Mchl]

I would suspect, that your site adds 'http://mysite.com/"' part when displaying links.

 

Did you check if the links are stored in MySQL with or without 'http://mysite.com/"'?

[Lambneck]

I forgot to mention that they are using html to make the links:

 

<a href="http://www.their-hyperlink.com">http://www.their-hyperlink.com</a>

 

still, why would my site prefix its url when displaying links?

[Mchl]

Because it's coded to do so.

Are you using a some kind of CMS?

[Lambneck]

No, i kindof raped and pasted this code, but i dont see anything that would create this effect.

 

what should I be looking for in the code that would cause this prefix to be attached to these outgoing hyperlinks?

[Mchl]

First of all, check how they look in the database.

If they're unmodified, then it's the displaying code that adds this. If they're modified, then they're obviously being modified when saving to database.

[Lambneck]

They look normal in the database.

So I looked over the selection code but cant find anything to indicate why this is happening.

:-\

 

 

 

 

[Mchl]

Well... it has to be somewhere between the database and html output.

 

 

[Lambneck]

yah i agree but what?

could be nl2br() somehow?

 

heres the selection code:

<?php

require_once('pageLoad.php');

if (!mysql_connect($db_host, $db_user, $db_pwd))
    die("Woops! YOU broke the system! Quick! Refresh the page!");

if (!mysql_select_db($database))
    die("Can't... se... select... data... base.");

$id = (int) $_GET['id']; 

$sql = "SELECT * FROM $table WHERE submission_id=$id";
$result = mysql_query($sql);

if(mysql_num_rows($result) == 1){
$row = mysql_fetch_array($result);

	echo "<table>";
	echo "<tr><td><strong>";
	echo stripslashes(htmlspecialchars($row['col_1']));
	echo "  |  ";
	echo date("l M dS, Y", $row['submission_date']);
	echo "  |  ";
	echo "Posted by: ";
	echo stripslashes(htmlspecialchars($row['name']));
	echo "</strong><hr></td></tr>";
	echo "<tr><td><br>".(nl2br($row['col_2']))."</td></tr>";
	echo "</table>";

}else{
echo 'Oops! Something went wrong! Try something else!';
}
?>

 

 

[Mchl]

No... nl2br is not the culprit here... Hmm... No idea...

[Lambneck]

Argh!

it was the form processing code.

needed a stripslashes() around (nl2br($row['col_2'])...

it was mysql_real_escape_string() that flubbed it up while processing the info to the database.

 

 

 

 

[Mchl]

Huh... too much escaping...

[Lambneck]

Huh... too much escaping...

 

What do you recommend?

[Mchl]

Do you have magic_quotes enabled on your server?

[Lambneck]

Not sure. I thought using mysql_real_escape_string() was more effective than magic_quotes anyway, no?

[Mchl]

Surely it is. But if you have magic_quotes enabled, you're escaping variables twice... which is once too much