Jump to content

Slipslashes or Htmlspecialchars??

gc40

By gc40
in PHP Coding Help

 Share

Recommended Posts

gc40 Member

gc40

Posted
Posted

Greetings All,

I wrote a script to update my news article. However, when I go to edit the title and news, if a ' exist, then the update fails. I know from previous work, that either slipslashes or htmlspecialchars should do the trick, I am just not sure which one, or where to put them.

 

Would anyone be able to point me in the right direction of where I should include these statements... or if you have an alternative fix, please post.

 

Keep in mind that I can update articles once the article Title or News body doesn't contain a ' inside of the content. Once a ' exist, then it crashes the script and nothing updates.

 

Here is the script below:

 

<script language="javascript" type="text/javascript" src="jscripts/tiny_mce/tiny_mce.js"></script>
<script language="javascript" type="text/javascript">
// Notice: The simple theme does not use all options some of them are limited to the advanced theme
tinyMCE.init({
	mode : "textareas",
	theme : "simple"
});
</script>
<?php
//error_reporting(E_ALL);
include ("../class/config.php");
$today = date("Y-m-d");

$submit=$_REQUEST['submit'];
$id=$_REQUEST['id'];
$del=$_REQUEST['del'];
$year=$_REQUEST['year'];
$month=$_REQUEST['month'];
$day=$_REQUEST['day'];

if(isset($submit))
{
$fulldate = $year . "-" . $month . "-" . $date;

  if($submit == 'Delete')
{
	$sql = "delete from news_saxon_saxon where NEWSID = '$id'";

	$result = mysql_query($sql, $db);

	if($result)
	{
		echo("The news article was deleted successfully.");
		echo("<form action='news_admin_index.php?action=editnews' method='POST'><p>");
		echo("<input type='submit' name='submit' value='OK' class=\"submit button\"></form)");
	}

}

else if($submit == 'Update')
{
	$news=$_POST['NEWS'];
	$title=$_POST['TITLE'];
	$postdate = $year."-".$month."-".$day;
	$sql = "update news_saxon_saxon set TITLE='$title',NEWS='$news', Date='$postdate' where NEWSID='$id'";

	$result = mysql_query($sql, $db);
	if($result)
	{
		echo "$sql";
		echo("The news article was updated successfully.");
		echo("<form action='news_admin_index.php?action=editnews' method='POST' onSubmit='fnsubmit()'>");
		echo("<input type='submit' name='submit' value='OK' class=\"submit button\"></form)");
	}

}



else if (($submit == 'Cancel') || ($submit == 'OK'))
{ 	//header("Location:http://www.bviddm.com/control/nav_index.php?action=editstory"); 
	?>
	<script language="Javascript" type="text/javascript"> 
	document.location.href='news_admin_index.php?action=editnews'
	</script>
   <?
}
}


else
{

if(isset($del))
{
	$sql = "select * from news_saxon_saxon where NEWSID = '$id'";
	$navset = mysql_query($sql, $db);
	$onenav = mysql_fetch_object($navset);
	echo("Are you sure you want to delete this news article ");
	echo($onenav->NEWSID);
	echo("?");
	echo("<form action='news_admin_index.php?action=editnews' method='POST' onSubmit='fnsubmit()'>");
	echo("<input type='hidden' name='id' value=" . $onenav->NEWSID . ">");
	echo("<table><tr><td><input type='submit' name='submit' value='Delete' class=\"submit button\"></td><td><input type='submit' name='submit' value='Cancel' class=\"submit button\"></td></tr></table></form)");
}
else
{
	if(isset($id))
	{
$sql = "select * from news_saxon_saxon where NEWSID = '$id'";
$postdate = $year."-".$month."-".$day;
$navset = mysql_query($sql, $db);
$onenav = mysql_fetch_object($navset);
//list($year, $month, $day) = explode ("-", $row['DATE']);
list($year, $month, $day) = explode ("-", date("Y-m-d"));
		?>
<form action= "news_admin_index.php?action=editnews" method="post">
    <input type='hidden' name='id' value=<?php echo($id); ?>>
    <table>
    <tr><td>Day:</td><td>
    <select name="day" id="day" value=<?php echo($day); ?>>
    <?php
    for ($i = 1; $i <= 31; $i++)
    {
        if ($i == $day) echo "<option value=\"$i\" selected=\"selected\">$i</option>\n";
        else echo "<option value=\"$i\">$i</option>\n";
    }
    ?>
    </select> 
    </td>
    </tr>
    <tr>
        <td>Month:</td><td> 
        <select name="month" id="month" value=<?php echo($month); ?>>
        <?php
            $monthList=array(
            1 => "January",
            2 => "February",
            3 => "March",
            4 => "April",
            5 => "May",
            6 => "June",
            7 => "July",
            8 => "August",
            9 => "September",
            10 => "October",
            11 => "November",
            12 => "December");
        
        foreach($monthList as $code => $monthname)
        {
            if ($code == $month) echo "<option value=\"$code\" selected=\"selected\">$monthname</option>\n";
            else echo "<option value=\"$code\">$monthname</option>\n";
        
        }
        ?>
        </select> 
        </td></tr>
        <tr>
        <td>Year:</td><td>
        <select name="year" id="year" value=<?php echo($year); ?>>
        <?php
        $this_year = date("Y");
        for ($i = $this_year; $i <= $this_year+10; $i++)
        {
            if ($i == $year) echo "<option value=\"$i\" selected=\"selected\">$i</option>\n";
            else echo "<option value=\"$i\">$i</option>\n";
        }
        ?>
        </select><?php $postdate = $year."-".$month."-".$day;?></td>
        </tr>    <tr><td>Title</td><td><input type="text" name="TITLE" value=<?php echo($onenav->TITLE);?>></td></tr>
    <tr><td>News</td><td><textarea name="NEWS" id="NEWS"><?php echo($onenav->NEWS);?></textarea></td></tr>
    <tr><td colspan="2"><input type="submit" value="Update" name="submit" class="submit button"></td></tr>
    </table>
</form>
<?php
	}

	else 
	{
?>

<table width="100%">
<tr><th class='right_title'>Date</th><th class='right_title'>Title</th>
<th colspan=2><center>Action</center></th></tr>

<?php

$navquery = "select * from news_saxon_saxon";

$navresult = mysql_query($navquery);
while ($row = mysql_fetch_object($navresult))
{
echo ("<tr>"."<td>".$row->DATE."</td>"."<td>".$row->TITLE."</td>");

echo("<td>"."<p align='center'>"."<a href='news_admin_index.php?action=editnews&id=$row->NEWSID'>"."<img src='..\images\button_edit.png' border='0' alt="."Edit".">"."</td>".
"<td><p align='center'>"."<a href='news_admin_index.php?action=editnews&id=$row->NEWSID&del=$row->NEWSID'>"."<img src='..\images\button_drop.png' border='0' alt="."Delete"."></td></tr>");
}

	}
?>


</table>
<?php

}} ?>

Link to comment
Share on other sites
dbo Member

dbo

Posted
Posted

When you insert into the database you need to use addslashes... actually the escape functions native to your database are best.... such as mysql_real_escape_string. Then when you pull it out of the DB you want to stripslashes first.... then do htmlentities or htmlspecialchars.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.