Jump to content

Recommended Posts

Hi,

 

I have a text area field on one of my forms in order for people to post articles, however, it doesn't work when I try and post HTML through it. It works if I post normal text. Also, PHP won't give me an error, it just doesn't insert it?

<?php

if ($_POST['add']) {
    $title   = addslashes($_POST['title']);
    $image   = htmlspecialchars($_POST['image']);
	$source   = mysql_real_escape_string($_POST['source']);
    $active  = $_POST['active'];
	$feature  = $_POST['feature'];
    $cat_id  = $_POST['cat_id'];
	$content = htmlspecialchars($_POST['content']);
    $months  = array(
        "",
        "January",
        "February",
        "March",
        "April",
        "May",
        "June",
        "July",
        "August",
        "September",
        "October",
        "November",
        "December"
    );
    $date    = date('d', time()) . ' ' . $months[date('n', time())] . ' ' . date('Y', time());
    if ($title == NULL || $image == NULL || $content == NULL) {
        echo '<br /><br /><center>Please, fill all inputs</center><br /><br />';
    } else {
        $add = "INSERT INTO `news` cat_id='$cat_id', title='$title', image='$image', content='$content', date='$date', author='".$user['admin']."', authorid='".$user['id']."', source='$source', active='$active', twitter='".$user['twitter']."', featured='$feature'" or die(mysql_error());
        $sql = mysql_query($add);
        $addgrowl = "INSERT INTO `growl` (toid, message) VALUES ('$id', 'Your article is now online!')";
        $sql = mysql_query($addgrowl);    
            echo '<script type="text/javascript">
window.location = "articles.php"
</script>
';
}
}
?>

Help :-(

None of this makes a lot of sense.

  • The first INSERT query isn't valid SQL syntax. I'm not even sure what you're trying to do there. Did you mix up the syntax of UPDATE and INSERT? Did you want to use the special INSERT INTO ... SET ... syntax provided by MySQL?
  • The query is wide open to SQL injections. You're randomly applying three different escaping functions to some of the values, but you don't seem to understand what they do and when to use them.
  • You're applying or die(mysql_error()) to a string?
  • Do you really want the whole world to see your database errors?
  • The mysql_* functions are obsolete since more than 10 years, they're deprecated since PHP 5.5, and they will be removed in one of the next PHP versions. It's about time to switch.
  • The center element is obsolete since HTML 4. That was back in 1997!
  • A redirect with JavaScript? Why not an actual HTTP redirect with the header() function?
  • This date() thing is odd. I think what you actually want is date('d F Y').
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.