Jump to content

Can I use HTML in this form?

okrobie

By okrobie
in PHP Coding Help

 Share

Recommended Posts

okrobie Member

okrobie

Posted
Posted

Hello, this is a form for retrieving and adding text to a database. I would like to use some HTML, mainly hyperlinks, mixed in with the text but in it's present form it won't accept the HTML. Is there a way to do it? Thanks, okrobie

 

<?php 

include 'dbc.php'; //database credentials
page_protect();

$rs_settings = mysql_query("select * from parents where id='$_SESSION[user_id]'");

if($_POST['doUpdate'] == 'Update')  
{

$rs_pwd = mysql_query("select pwd from parents where id='$_SESSION[user_id]'");
list($old) = mysql_fetch_row($rs_pwd);
//check for old password in md5 format
if($old == md5($_POST['pwd_old']))
{
$newmd5 = md5(mysql_real_escape_string($_POST['pwd_new']));
mysql_query("update parents set pwd='$newmd5' where id='$_SESSION[user_id]'");
header("Location: mysettings.php?msg=Your new password is updated");
} else
{
 header("Location: mysettings.php?msg=Your old password is invalid");
}

}

if($_POST['doSave'] == 'Save')  
{
// Filter POST data for harmful code (sanitize)
foreach($_POST as $key => $value) {
$data[$key] = filter($value);
}


mysql_query("UPDATE parents SET

		`teacher` = '$data[teacher]',
		`homework` = '$data[homework]',
		`projects` = '$data[projects]',
		`schedules` = '$data[schedules]',
		`news` = '$data[news]'


		WHERE id='$_SESSION[user_id]'
		") or die(mysql_error());

header("Location: teacher2.php?msg=Message sucessfully saved");
}

?>
<html>
<head>
<title>Teacher Entry Form</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<table width="100%" border="0" cellspacing="0" cellpadding="5" class="main">
  <tr> 
    <td colspan="3"> </td>
  </tr>
  <tr> 
    <td width="160" valign="top">
<? 
if (isset($_SESSION['user_id'])) {?>
<? } 
/*******************************END**************************/
?>
      <p> </p>
      <p> </p>
      <p> </p>
      <p> </p></td>
    <td width="732" valign="top">
<h3 class="titlehdr">Teacher input form</h3>
<h3 class="titlehdr">Teacher Name <? echo $_SESSION['first_name'];?> <? echo $_SESSION['last_name'];?></h3>
      <p> 
        <?	
      if (isset($_GET['msg'])) {
  $message = urlencode($_GET['msg']);
  echo "<div class=\"msg\">$message</div>";
  }
  ?>
      </p>
      <p>Here you can make changes to your message. </p>
  <? while ($row_settings = mysql_fetch_array($rs_settings)) {?>
      <form action="teacher2.php" method="post" name="myform" id="myform">
        <table width="60%" border="0" align="left" cellpadding="3" cellspacing="3" class="forms">
                   
          <tr> 
            <td colspan="2">Teacher<span class="example"></span><br> 
              <textarea name="teacher" cols="80" rows="5"  id="teacher"><? echo $row_settings['teacher']; ?></textarea> 
            </td>
          </tr>



          <tr> 
            <td> </td>
            <td> </td>
          </tr>
        <tr ><td><p align="right"> 
          <input name="doSave" type="submit" id="doSave" value="Save">
        </p></td></tr>
        </table>
        
      </form>
     

     
  
  <? } ?>
      
  </td>      
</table>

</body>
</html>

Link to comment
https://forums.phpfreaks.com/topic/202791-can-i-use-html-in-this-form/
Share on other sites
okrobie Member

okrobie

Posted
  • Author
Posted

Thanks -Karl-  I tried it with htmlentities() but it just copies the whole command literally not as HTML. So you are saying that I would be open to security risks by embedding HTML into the mysql database?  How else can I get around it? Is there a way? Thanks again.

-Karl- Regular Member

-Karl-

Posted
Posted

What htmlentities does, is turns < > /, etc to their HTML codes. Then these codes are put into the database. However, when selecting the information and displaying it on a page, it will have the original HTML tags again.

 

I'm not sure what dilemma you are facing.

 

I meant to put htmlspecialchars, not htmlentities. xD

okrobie Member

okrobie

Posted
  • Author
Posted

When I use htmlentities() it takes this: htmlentities(<a href="http://www.mydomain.com">My Domain</a>,ENT_COMPAT,UTF-8) and changes it to this: htmlentities(My Domain,ENT_COMPAT,UTF-8)  It doesn't save the HTML for some reason it just saves the second example to the database.

kenrbnsn Regular Member

kenrbnsn

Posted
Posted

Storing raw HTML in the database should not be a security risk as long as you use the function mysql_real_escape_string when storing the string. The htmlentities function should be used when displaying the HTML back to the user, so it doesn't get executed.

 

Ken

RichardRotterdam Member

RichardRotterdam

Posted
Posted

Thanks kenrbnsn, I'm hoping to allow users to enter the HTML (mostly Hyperlinks) via a text area. How would that work? Is it possible?

It would work the same as putting normal text into a database. If it's very limited html you want to enter into the db you might want to concider using bbcode instead.

okrobie Member

okrobie

Posted
  • Author
Posted

Thanks for your comments dj Kat, When I use HTML in the textarea, then click save, the textarea seems to strip out the HTML and save only the text like the example I showed above. When I use BB code it saves the whole link literally but when displayed it is not a link.  I have looked up all the Google references to mysql_real_escape_string() but I don't understand how the examples relate to my problem. (I'm a novice) I hate to impose but I could sure use an example that relates to a textarea. Thanks again for the support.

RichardRotterdam Member

RichardRotterdam

Posted
Posted

When I use BB code it saves the whole link literally but when displayed it is not a link. 

You need serverside code that translate bb code to a htmlfor that. BB code is not magically turned into html by itself. Try a search for BBcode on this form there are quite a few threads on that subject.

 

I have looked up all the Google references to mysql_real_escape_string() but I don't understand how the examples relate to my problem.

You need to escape data so that it wont break the query when querying  a database. Or in the worse case scenario hack your database because you haven't escaped the user input.

 

for example:

<?php
$html = "<h1>It's a heading</h1>";
$sql = "UPDATE `your_table` SET `html`= '$html' WHERE id=1";
mysql_query($sql);

In this case it would break the query.

 

I also suggest you readup a bit on sql injections that will make it clear why you should escape string data before you do a query.

 

okrobie Member

okrobie

Posted
  • Author
Posted

Someone from another board directed me to HTML Sanitizer http://www.phpclasses.org/package/3746-PHP-Remove-unsafe-tags-and-attributes-from-HTML-code.html It does exactly what I wanted and is easy to install. Thanks for all the help on this board. It is appreciated.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.