Space problem

[jrws]

Hi guys I am creating a news system so that I can learn about PHP and Mysql, however I have run into a problem when submiting news, all new breaks appear as

r

when inserted into the database, I've tried using both Long Text field and a long blob field, however the results are always the same. I protect the fields from sql injections and from XSS attack by using a function, which is

function clean($string)
{
    if (get_magic_quotes_gpc()) {
        $string = stripslashes($string);
    } elseif (!get_magic_quotes_gpc()) {
        $string = addslashes(trim($string));
    }
    $string = trim($string);
    $string = escapeshellcmd($string);
    $string = mysql_real_escape_string($string);
    $string = stripslashes(strip_tags(htmlspecialchars($string)));
    return $string;
}

 

So I wish to know, it is the protect function that is causing this, or is there something else I can do?

This is also the insert code of the section:

$title = clean($_POST['title']);
    $data = clean($_POST['data']);
    $author = clean($_SESSION['username']);
    $u_id = $_SESSION['u_id'];
    $alreadyExists = mysql_query("SELECT * FROM news WHERE title = '$title'")or die(mysql_error());
    if(mysql_num_rows($alreadyExists)>1){
	echo '<div class="error">News all ready exists! Please go <a href="'.$siteURL.'new_news.php">Back</a></div>';
}else{
    $q = "INSERT INTO news(title,data,author,submit_date,u_id)VALUES('$title','$data','$author',now(),'$u_id')";
    $r = mysql_query($q) or die(mysql_error());
    $id = mysql_insert_id();
    if ($r) {
        echo 'News successfully added!<br> Please click <a href="'.$siteURL.'view_news.php">here</a> to view the news. Or click <a href="'.$siteURL.'view_news.php?id='.$id.'">here</a> to view your news.';
    }
}

Here is the view code, mind you I've only just added the nl2br code:

 if (isset($_GET['id']) && is_numeric($_GET['id']))
{ $id = clean($_GET['id']);
    $sql2 = mysql_query("SELECT * FROM `news` WHERE id='$id'") or die(mysql_error());
    $row = mysql_fetch_array($sql2);
    $title = $row['title'];
    $data = nl2br($row['data']);
    $author = $row['author'];
    echo '<h1>' . strtoupper($title) . '</h1>';
    echo '<small>By :<a href="'.$siteURL.'profile.php?id='.$row['u_id'].'">'.$author.'</a><br></small>';
    echo '<p>' . $data . '</p>';}

I just realized now, do I actually need to clean the id after checking that its numeric?

I have just added an edit function, but it appears something is wrong because as I get the data from the database, it leaves a large blank space, it also doesn't get the title;

I have added trim to the code but get the same results, here is the edit part of the code:

if (isset($_GET['id']) && is_numeric($_GET['id']) 
&& isset($_GET['edit']) &&is_numeric($_GET['id']))
{
$id = $_GET['id'];
$sql = "SELECT * FROM news WHERE id = '$id'";
$result = mysql_query($sql)or die(mysql_error());
$row = mysql_fetch_array($result);
$u_id = $row['u_id'];
if ($_SESSION['u_id'] == $u_id || $_SESSION['u_level'] == 6){
    ?><form action="<? echo $PHP_SELF; ?>" method = "post">
Title:<input type="text" name = "<?=$row['title'];?>" size="32"><br>
Author:<input type = "text" name = "author" disabled = "true" value = "<?=$row['author'];?>"><br>
    <textarea rows="6" cols="40" name = "data">
    <?=trim($row['data']);?>
</textarea>
<br>
<input type = "submit" value = "Submit" name = "submit">
</form><?
    }else{
	echo 'Not authorised to view this page!';
}
    
}

 

[Mchl]

$string = mysql_real_escape_string($string);
    $string = stripslashes(strip_tags(htmlspecialchars($string)));

 

So you add slashes with mysql_real_escape_string then you remove them with stripslashes()... What's the point?

[jrws]

To be honest, no idea. It was a function suggested by someone here, so I took the suggestion.

[Mchl]

I see...

Well.. try this one:

 

function clean($string)
{
    if (get_magic_quotes_gpc()) {
        $string = stripslashes($string);
    }
    $string = trim($string);
    $string = mysql_real_escape_string($string);
    return $string;
}

 

Also you might want to run strip_tags if you want to remove html from user input.