shortysbest Posted July 13, 2010 Share Posted July 13, 2010 I don't want to allow the user to post these because it appears as a blank space, so I was hoping there was a function to disable all of these, rather than doing them all manually :\ Quote Link to comment Share on other sites More sharing options...
Alex Posted July 13, 2010 Share Posted July 13, 2010 Using htmlentities will solve this problem. Ex: will be converted to Quote Link to comment Share on other sites More sharing options...
shortysbest Posted July 13, 2010 Author Share Posted July 13, 2010 im using that. I have it so when u send the stAtus message it uses this: $status = htmlentities((get_magic_quotes_gpc())?mysql_real_escape_string(stripslashes($_POST['status'])):mysql_real_escape_string($_POST['status'])); then to call it from the database: $msg = htmlentities(get_magic_quotes_gpc())?nl2br(strip_tags(stripslashes($_POST['status']))):nl2br(strip_tags($_POST['status'])); Quote Link to comment Share on other sites More sharing options...
Alex Posted July 13, 2010 Share Posted July 13, 2010 You shouldn't be performing htmlentities when you're inserting the data into and when displaying it from the database. You also have a problem with this line: $msg = htmlentities(get_magic_quotes_gpc())?nl2br(strip_tags(stripslashes($_POST['status']))):nl2br(strip_tags($_POST['status'])); You're messing up the parenthesis. Your conditional is [m]htmlentities(get_magic_quotes_gpc())[tt]. Quote Link to comment Share on other sites More sharing options...
shortysbest Posted July 13, 2010 Author Share Posted July 13, 2010 neither fixed it :\ Quote Link to comment Share on other sites More sharing options...
Alex Posted July 13, 2010 Share Posted July 13, 2010 Post your code for inserting it into and displaying it from the database. Quote Link to comment Share on other sites More sharing options...
shortysbest Posted July 13, 2010 Author Share Posted July 13, 2010 <?php session_start(); error_reporting(0); include('../../connect.php'); include('../../ajaxvars.php'); $uid = $_SESSION['uid']; if(isset($_POST['status'])) { ///////////INSERT TO DATABASE////////////////////////////// $status = htmlentities((get_magic_quotes_gpc())?mysql_real_escape_string(stripslashes($_POST['status'])):mysql_real_escape_string($_POST['status'])); ////////////////////////////////////////////////////// $date = date('Y-m-d h:m:s e'); mysql_query("INSERT INTO status VALUES('','$status','$uid', '$session', '$date')") or die('There was an error connecting to the database at this time.'); $sql_in= mysql_query("SELECT * FROM status ORDER BY id DESC"); $r = mysql_fetch_array($sql_in); ///////////GET FROM DATABASE ////////////////////////////////////////////////// $msg = htmlentities(get_magic_quotes_gpc())?nl2br(strip_tags(stripslashes($_POST['status']))):nl2br(strip_tags($_POST['status'])); //////////////////////////////////////////////////////////////////////// $msg_id = $r['id']; $from_id = $session; $query = mysql_query("SELECT * FROM users WHERE id='$from_id'"); $ua = mysql_fetch_assoc($query); } ?> <li class="bar<?php echo $msg_id; ?>"><div class="profile-comment-container"><div onClick="<?php print $userlink;?>" class="profile-comment-thumb"><img src="assets/l_6d3ec56cb4bc4edf84b4b12ada71e19e.jpg" width="60" height="60" border="0"></div><div class="profile-comment-message"> <b><a class="user-link" href="index.php?node=profile&user=<?php print $uid;?>"><?php print $ua['fname'].' '.$ua['mname'].' '.$ua['lname'];?></a></b> <?php print $msg;?> <div class="profile-comment-extras">Comment<div class="profile-comment-date"><?php print date('g:m A \\o\n l, F j, Y', strtotime($status['date']));?></div></div> </li> Quote Link to comment Share on other sites More sharing options...
Alex Posted July 14, 2010 Share Posted July 14, 2010 Why are you reading from the $_POST array when you're getting the data from the database? Shouldn't you be doing something like this?: $msg = nl2br(stripslashes($r['status'])); Quote Link to comment Share on other sites More sharing options...
shortysbest Posted July 14, 2010 Author Share Posted July 14, 2010 this is an ajax file, i am using post in this file to fade the comment(s) posted without refreshing the page. In the parent page i do get it from the database. Quote Link to comment Share on other sites More sharing options...
Alex Posted July 14, 2010 Share Posted July 14, 2010 This isn't making much sense. You're trying to fade the comments in and getting the data via AJAX? Your code is getting $msg from whatever you sent to the file via AJAX, that's not getting it from the database at all. You need to explain better because this really isn't making any sense. Quote Link to comment Share on other sites More sharing options...
shortysbest Posted July 14, 2010 Author Share Posted July 14, 2010 in this file, update_status.php, $msg gets its data from the $_POST from the form on the other page. which in my case is profile.php. I use ajax to post the comment with the data that it gets from the form while the user is on the status page, ajax posts to this file i have above. when i say the comments fade in, I don't mean all of them, Just when the user, any user, comments on the profile.. (hits comment button), it fades the new comment in using the Post data, and it sends it to the database as well, but to get the fade in of teh new comment when they post it it uses the post data to display that. i hope i have explained it well enough. :\ but my problem is just the   etc. Quote Link to comment Share on other sites More sharing options...
Alex Posted July 14, 2010 Share Posted July 14, 2010 Did you try fixing what I said initially? If that's fixed it should work: $msg = htmlentities(get_magic_quotes_gpc() ? nl2br(strip_tags(stripslashes($_POST['status']))) : nl2br(strip_tags($_POST['status']))); Quote Link to comment Share on other sites More sharing options...
shortysbest Posted July 14, 2010 Author Share Posted July 14, 2010 yeah and it doesn't work. :\ Quote Link to comment Share on other sites More sharing options...
Alex Posted July 14, 2010 Share Posted July 14, 2010 Aside from the fact that you should be performing nl2br after htmlentities so you don't remove the html line breaks you just inserted, it does worked as expected, I just tested. $msg = nl2br(htmlentities(get_magic_quotes_gpc() ? strip_tags(stripslashes($_POST['status'])) : strip_tags($_POST['status']))); When you enter into the form you see ( in the html) not a space. Quote Link to comment Share on other sites More sharing options...
shortysbest Posted July 14, 2010 Author Share Posted July 14, 2010 oh now i see what you meant.. That's not what i meant though. I don't want the user to be able to submit a form if all they have entered is things like  , &paste, etc. It's just it posts a blank comment. Quote Link to comment Share on other sites More sharing options...
ChemicalBliss Posted July 14, 2010 Share Posted July 14, 2010 To make sure there are characters; if(!preg_match("/[a-z]+/i",$input))){ exit("Error: Must contain some Text"); } Dirty way to make sure they don't use entity characters: if(html_entity_decode($input) != $input){ exit("Error: Cannot contain HTML Entity codes ( etc)"); } Another dirty way to check they don't use HTML tags: if(strip_tags($input) != $input){ exit("Error: Cannot contain HTML Tags (<b>, <i> etc)"); } -cb- Quote Link to comment Share on other sites More sharing options...
shortysbest Posted July 14, 2010 Author Share Posted July 14, 2010 Thanks a lot, I will test that in a bit Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.