bigrossco Posted January 11, 2007 Share Posted January 11, 2007 is their anyway i can change this code:[code]<phpfunction replace_tags1($bus_name) { $html = array("<", ">"); $text = array("<", ">"); return str_replace($html, $text, $bus_name);}?>[/code]To change what is stored on the database? the above code is only removing what is enterd when displayed on PHP but it still store's the data with < > into the database Link to comment https://forums.phpfreaks.com/topic/33733-some-php-help/ Share on other sites More sharing options...
taith Posted January 11, 2007 Share Posted January 11, 2007 <?function rawcode($string){ return addslashes(htmlspecialchars("$string", ENT_QUOTES));}?> Link to comment https://forums.phpfreaks.com/topic/33733-some-php-help/#findComment-158161 Share on other sites More sharing options...
bigrossco Posted January 11, 2007 Author Share Posted January 11, 2007 tried that code but it dosent update the input into the database and also on the php view its just blank Link to comment https://forums.phpfreaks.com/topic/33733-some-php-help/#findComment-158169 Share on other sites More sharing options...
taith Posted January 11, 2007 Share Posted January 11, 2007 then something else is wrong... that function does work properly Link to comment https://forums.phpfreaks.com/topic/33733-some-php-help/#findComment-158176 Share on other sites More sharing options...
bigrossco Posted January 11, 2007 Author Share Posted January 11, 2007 this is my code:[code]<table><tr><form method="post"><tr><td>Date:</td><td><input type = "text" name="date" >Please enter as YYYY/MM/DD</td></tr><tr><td>Announcement:</td> <label><td> <textarea name="notes"></textarea> </label></td></tr><tr><td></td><td><input type="submit" name="submit" value="Add Announcement"></td> </form></tr></td></tr> </table><?phpif (isset($_POST['submit'])) {// form submitted// set server access variables $host = "$lang_dbhost"; $user = "$lang_dbuser"; $pass = "$lang_dbpass"; $db = "$lang_dbase";// get form input // check to make sure its all there // escape input values for greater safety$date = empty($_POST['date']) ? die ("ERROR: Enter the Date") : mysql_escape_string($_POST['date']);$notes = empty($_POST['notes']) ? die ("ERROR: Enter the Announcement") : mysql_escape_string($_POST['notes']); // open connection $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); // select database mysql_select_db($db) or die ("Unable to select database!"); // create query $query = "INSERT INTO news (date, text) VALUES ('$date', '$notes')"; // execute query $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); // print message of confermation echo "Staff Announcement Added"; // close connection mysql_close($connection);}?>[/code] Link to comment https://forums.phpfreaks.com/topic/33733-some-php-help/#findComment-158181 Share on other sites More sharing options...
taith Posted January 11, 2007 Share Posted January 11, 2007 not tested... but it should work :-)[code]<form method="post"><table> <tr> <td>Date:</td> <td><input type = "text" name="date" >Please enter as YYYY/MM/DD</td> </tr> <tr> <td>Announcement:</td> <td><label><textarea name="notes"></textarea></label></td> </tr> <tr> <td></td> <td><input type="submit" name="submit" value="Add Announcement"></td> </tr></table></form><?phpif(isset($_POST['submit'])){ $host = "$lang_dbhost"; $user = "$lang_dbuser"; $pass = "$lang_dbpass"; $db = "$lang_dbase"; $date = empty($_POST['date']) ? die ("ERROR: Enter the Date") : mysql_escape_string($_POST['date']); $notes = empty($_POST['notes']) ? die ("ERROR: Enter the Announcement") : mysql_escape_string($_POST['notes']); $notes = rawcode($notes); $connection = mysql_connect($host, "$user, $pass) or die ("Unable to connect!"); mysql_select_db($db) or die ("Unable to select database!"); $query = "INSERT INTO news (date, text) VALUES ('$date', '$notes')"; $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); echo "Staff Announcement Added"; mysql_close($connection);}function rawcode($string){ return addslashes(htmlspecialchars("$string", ENT_QUOTES));}?>[/code] Link to comment https://forums.phpfreaks.com/topic/33733-some-php-help/#findComment-158185 Share on other sites More sharing options...
bigrossco Posted January 11, 2007 Author Share Posted January 11, 2007 still allows the input of <script > which i am wanting to stop I also want to stop arbitrary HTML code being enterd so basicly i dont want any arbitrary HTML and scripting code to be allowed to be stored in the db / viewable on the php page (this is a problem i have had reported to me as a vunrability which is executed in a user's browser session in context of an affected site when the offending data is viewed Link to comment https://forums.phpfreaks.com/topic/33733-some-php-help/#findComment-158189 Share on other sites More sharing options...
bigrossco Posted January 11, 2007 Author Share Posted January 11, 2007 can i just check it looks like it is working, is it supposed to add \\\ in scripts ? Link to comment https://forums.phpfreaks.com/topic/33733-some-php-help/#findComment-158190 Share on other sites More sharing options...
taith Posted January 11, 2007 Share Posted January 11, 2007 yes... that function changes[code]<script> --> <script>[/code]if you were wanting to remove all tags, you'd want the strip_tags() function... Link to comment https://forums.phpfreaks.com/topic/33733-some-php-help/#findComment-158192 Share on other sites More sharing options...
bigrossco Posted January 11, 2007 Author Share Posted January 11, 2007 ok thanks Link to comment https://forums.phpfreaks.com/topic/33733-some-php-help/#findComment-158195 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.