bigrossco Posted January 11, 2007 Share Posted January 11, 2007 is their anyway i can change this code:[code]<phpfunction replace_tags1($bus_name) { $html = array("<", ">"); $text = array("<", ">"); return str_replace($html, $text, $bus_name);}?>[/code]To change what is stored on the database? the above code is only removing what is enterd when displayed on PHP but it still store's the data with < > into the database Quote Link to comment Share on other sites More sharing options...
taith Posted January 11, 2007 Share Posted January 11, 2007 <?function rawcode($string){ return addslashes(htmlspecialchars("$string", ENT_QUOTES));}?> Quote Link to comment Share on other sites More sharing options...
bigrossco Posted January 11, 2007 Author Share Posted January 11, 2007 tried that code but it dosent update the input into the database and also on the php view its just blank Quote Link to comment Share on other sites More sharing options...
taith Posted January 11, 2007 Share Posted January 11, 2007 then something else is wrong... that function does work properly Quote Link to comment Share on other sites More sharing options...
bigrossco Posted January 11, 2007 Author Share Posted January 11, 2007 this is my code:[code]<table><tr><form method="post"><tr><td>Date:</td><td><input type = "text" name="date" >Please enter as YYYY/MM/DD</td></tr><tr><td>Announcement:</td> <label><td> <textarea name="notes"></textarea> </label></td></tr><tr><td></td><td><input type="submit" name="submit" value="Add Announcement"></td> </form></tr></td></tr> </table><?phpif (isset($_POST['submit'])) {// form submitted// set server access variables $host = "$lang_dbhost"; $user = "$lang_dbuser"; $pass = "$lang_dbpass"; $db = "$lang_dbase";// get form input // check to make sure its all there // escape input values for greater safety$date = empty($_POST['date']) ? die ("ERROR: Enter the Date") : mysql_escape_string($_POST['date']);$notes = empty($_POST['notes']) ? die ("ERROR: Enter the Announcement") : mysql_escape_string($_POST['notes']); // open connection $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); // select database mysql_select_db($db) or die ("Unable to select database!"); // create query $query = "INSERT INTO news (date, text) VALUES ('$date', '$notes')"; // execute query $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); // print message of confermation echo "Staff Announcement Added"; // close connection mysql_close($connection);}?>[/code] Quote Link to comment Share on other sites More sharing options...
taith Posted January 11, 2007 Share Posted January 11, 2007 not tested... but it should work :-)[code]<form method="post"><table> <tr> <td>Date:</td> <td><input type = "text" name="date" >Please enter as YYYY/MM/DD</td> </tr> <tr> <td>Announcement:</td> <td><label><textarea name="notes"></textarea></label></td> </tr> <tr> <td></td> <td><input type="submit" name="submit" value="Add Announcement"></td> </tr></table></form><?phpif(isset($_POST['submit'])){ $host = "$lang_dbhost"; $user = "$lang_dbuser"; $pass = "$lang_dbpass"; $db = "$lang_dbase"; $date = empty($_POST['date']) ? die ("ERROR: Enter the Date") : mysql_escape_string($_POST['date']); $notes = empty($_POST['notes']) ? die ("ERROR: Enter the Announcement") : mysql_escape_string($_POST['notes']); $notes = rawcode($notes); $connection = mysql_connect($host, "$user, $pass) or die ("Unable to connect!"); mysql_select_db($db) or die ("Unable to select database!"); $query = "INSERT INTO news (date, text) VALUES ('$date', '$notes')"; $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); echo "Staff Announcement Added"; mysql_close($connection);}function rawcode($string){ return addslashes(htmlspecialchars("$string", ENT_QUOTES));}?>[/code] Quote Link to comment Share on other sites More sharing options...
bigrossco Posted January 11, 2007 Author Share Posted January 11, 2007 still allows the input of <script > which i am wanting to stop I also want to stop arbitrary HTML code being enterd so basicly i dont want any arbitrary HTML and scripting code to be allowed to be stored in the db / viewable on the php page (this is a problem i have had reported to me as a vunrability which is executed in a user's browser session in context of an affected site when the offending data is viewed Quote Link to comment Share on other sites More sharing options...
bigrossco Posted January 11, 2007 Author Share Posted January 11, 2007 can i just check it looks like it is working, is it supposed to add \\\ in scripts ? Quote Link to comment Share on other sites More sharing options...
taith Posted January 11, 2007 Share Posted January 11, 2007 yes... that function changes[code]<script> --> <script>[/code]if you were wanting to remove all tags, you'd want the strip_tags() function... Quote Link to comment Share on other sites More sharing options...
bigrossco Posted January 11, 2007 Author Share Posted January 11, 2007 ok thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.