okrobie Posted May 25, 2010 Share Posted May 25, 2010 Hello, this is a form for retrieving and adding text to a database. I would like to use some HTML, mainly hyperlinks, mixed in with the text but in it's present form it won't accept the HTML. Is there a way to do it? Thanks, okrobie <?php include 'dbc.php'; //database credentials page_protect(); $rs_settings = mysql_query("select * from parents where id='$_SESSION[user_id]'"); if($_POST['doUpdate'] == 'Update') { $rs_pwd = mysql_query("select pwd from parents where id='$_SESSION[user_id]'"); list($old) = mysql_fetch_row($rs_pwd); //check for old password in md5 format if($old == md5($_POST['pwd_old'])) { $newmd5 = md5(mysql_real_escape_string($_POST['pwd_new'])); mysql_query("update parents set pwd='$newmd5' where id='$_SESSION[user_id]'"); header("Location: mysettings.php?msg=Your new password is updated"); } else { header("Location: mysettings.php?msg=Your old password is invalid"); } } if($_POST['doSave'] == 'Save') { // Filter POST data for harmful code (sanitize) foreach($_POST as $key => $value) { $data[$key] = filter($value); } mysql_query("UPDATE parents SET `teacher` = '$data[teacher]', `homework` = '$data[homework]', `projects` = '$data[projects]', `schedules` = '$data[schedules]', `news` = '$data[news]' WHERE id='$_SESSION[user_id]' ") or die(mysql_error()); header("Location: teacher2.php?msg=Message sucessfully saved"); } ?> <html> <head> <title>Teacher Entry Form</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body> <table width="100%" border="0" cellspacing="0" cellpadding="5" class="main"> <tr> <td colspan="3"> </td> </tr> <tr> <td width="160" valign="top"> <? if (isset($_SESSION['user_id'])) {?> <? } /*******************************END**************************/ ?> <p> </p> <p> </p> <p> </p> <p> </p></td> <td width="732" valign="top"> <h3 class="titlehdr">Teacher input form</h3> <h3 class="titlehdr">Teacher Name <? echo $_SESSION['first_name'];?> <? echo $_SESSION['last_name'];?></h3> <p> <? if (isset($_GET['msg'])) { $message = urlencode($_GET['msg']); echo "<div class=\"msg\">$message</div>"; } ?> </p> <p>Here you can make changes to your message. </p> <? while ($row_settings = mysql_fetch_array($rs_settings)) {?> <form action="teacher2.php" method="post" name="myform" id="myform"> <table width="60%" border="0" align="left" cellpadding="3" cellspacing="3" class="forms"> <tr> <td colspan="2">Teacher<span class="example"></span><br> <textarea name="teacher" cols="80" rows="5" id="teacher"><? echo $row_settings['teacher']; ?></textarea> </td> </tr> <tr> <td> </td> <td> </td> </tr> <tr ><td><p align="right"> <input name="doSave" type="submit" id="doSave" value="Save"> </p></td></tr> </table> </form> <? } ?> </td> </table> </body> </html> Quote Link to comment Share on other sites More sharing options...
teamatomic Posted May 25, 2010 Share Posted May 25, 2010 You already are, the form itself is html, just add it where you want it. HTH Teamatomic Quote Link to comment Share on other sites More sharing options...
okrobie Posted May 25, 2010 Author Share Posted May 25, 2010 Hi teamatomic, thanks for your reply. I'm afraid I didn't make myself clear. When the form is active, I want to be able to enter HTML into the textarea and have it stored into the database as HTML. Is that possible? Quote Link to comment Share on other sites More sharing options...
-Karl- Posted May 25, 2010 Share Posted May 25, 2010 Yes it is, but that would leave it open to MySQL injections. Unless however, you used something like htmlentities(). Quote Link to comment Share on other sites More sharing options...
okrobie Posted May 25, 2010 Author Share Posted May 25, 2010 Thanks -Karl- I tried it with htmlentities() but it just copies the whole command literally not as HTML. So you are saying that I would be open to security risks by embedding HTML into the mysql database? How else can I get around it? Is there a way? Thanks again. Quote Link to comment Share on other sites More sharing options...
-Karl- Posted May 25, 2010 Share Posted May 25, 2010 What htmlentities does, is turns < > /, etc to their HTML codes. Then these codes are put into the database. However, when selecting the information and displaying it on a page, it will have the original HTML tags again. I'm not sure what dilemma you are facing. I meant to put htmlspecialchars, not htmlentities. xD Quote Link to comment Share on other sites More sharing options...
okrobie Posted May 25, 2010 Author Share Posted May 25, 2010 When I use htmlentities() it takes this: htmlentities(<a href="http://www.mydomain.com">My Domain</a>,ENT_COMPAT,UTF- and changes it to this: htmlentities(My Domain,ENT_COMPAT,UTF- It doesn't save the HTML for some reason it just saves the second example to the database. Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted May 25, 2010 Share Posted May 25, 2010 Storing raw HTML in the database should not be a security risk as long as you use the function mysql_real_escape_string when storing the string. The htmlentities function should be used when displaying the HTML back to the user, so it doesn't get executed. Ken Quote Link to comment Share on other sites More sharing options...
okrobie Posted May 27, 2010 Author Share Posted May 27, 2010 Thanks kenrbnsn, I'm hoping to allow users to enter the HTML (mostly Hyperlinks) via a text area. How would that work? Is it possible? Quote Link to comment Share on other sites More sharing options...
RichardRotterdam Posted May 27, 2010 Share Posted May 27, 2010 Thanks kenrbnsn, I'm hoping to allow users to enter the HTML (mostly Hyperlinks) via a text area. How would that work? Is it possible? It would work the same as putting normal text into a database. If it's very limited html you want to enter into the db you might want to concider using bbcode instead. Quote Link to comment Share on other sites More sharing options...
okrobie Posted May 27, 2010 Author Share Posted May 27, 2010 Thanks for your comments dj Kat, When I use HTML in the textarea, then click save, the textarea seems to strip out the HTML and save only the text like the example I showed above. When I use BB code it saves the whole link literally but when displayed it is not a link. I have looked up all the Google references to mysql_real_escape_string() but I don't understand how the examples relate to my problem. (I'm a novice) I hate to impose but I could sure use an example that relates to a textarea. Thanks again for the support. Quote Link to comment Share on other sites More sharing options...
RichardRotterdam Posted May 28, 2010 Share Posted May 28, 2010 When I use BB code it saves the whole link literally but when displayed it is not a link. You need serverside code that translate bb code to a htmlfor that. BB code is not magically turned into html by itself. Try a search for BBcode on this form there are quite a few threads on that subject. I have looked up all the Google references to mysql_real_escape_string() but I don't understand how the examples relate to my problem. You need to escape data so that it wont break the query when querying a database. Or in the worse case scenario hack your database because you haven't escaped the user input. for example: <?php $html = "<h1>It's a heading</h1>"; $sql = "UPDATE `your_table` SET `html`= '$html' WHERE id=1"; mysql_query($sql); In this case it would break the query. I also suggest you readup a bit on sql injections that will make it clear why you should escape string data before you do a query. Quote Link to comment Share on other sites More sharing options...
okrobie Posted June 2, 2010 Author Share Posted June 2, 2010 Someone from another board directed me to HTML Sanitizer http://www.phpclasses.org/package/3746-PHP-Remove-unsafe-tags-and-attributes-from-HTML-code.html It does exactly what I wanted and is easy to install. Thanks for all the help on this board. It is appreciated. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.