I am using php and trying save some html contents in mysql database. the html content is generating by ckeditor. The content is something like this-
<p><img align="left" alt="" src="images/1im1.jpg" style="margin:1px 15px 0 0; border:1px solid #cecece; " /> <img alt="If syou love hot sauce" src="images/tit_If-you-love-hot-sauce.jpg" /></p><br>D'elidas is a fine<p>
I am using this in php-
$main_data = mysql_real_escape_string($_POST['content']);
This was working okay in my localhost(xampp). but not working in online. my hosting is using latest version of PHP and MySQL. after saving in online database, I see like this-
<p><img align=\"left\" alt=\"\" src=\"images/1im1.jpg\" style=\"margin:1px 15px 0 0; border:1px solid #cecece; \" /> <img alt=\"If syou love hot sauce\" src=\"images/tit_If-you-love-hot-sauce.jpg\" /></p>br>D\'elidas is a fine<p>
And that is why the HTML is not displaying correctly in my page. Please help me about this. this is adding slashes before quotes. I want to save exact html and show in front end.
You hosting company probably has magic quotes turned on - http://php.net/manual/en/security.magicquotes.php
You can't disable it in code, but Example 2 here shows a work around http://www.php.net/manual/en/security.magicquotes.disabling.php
It sounds like your host probably has magic_quotes_gpc turned on, which will automatically add slashes to quotes and double quotes on data coming in from $_GET, $_POST, and $_COOKIE.
You might want to create a wrapper function for escaping GPC data. As an example...
function mysql_escape_gpc($dirty)
{
if (ini_get('magic_quotes_gpc'))
{
return $dirty;
}
else
{
return mysql_real_escape_string($dirty);
}
}
This way your code is portable, regardless of how the server is configured.
Also, if your production environment supports it, you should consider looking into prepared statements. This way you don't have to worry about escaping your data, however you would still need to UNescape it in the event that magic_quotes_gpc is turned on.
When you fetch it from the database you need to run a stripslashes() on the HTML string. Right?
I accomplished this by using the following code segments in php and mySQL database:
Storing into the database. You must use the following code segment in the actual mySQL Insertcall. I found out if you do this to the variable first and then put the variable in the insert call it will not work. The function must be in the mySQL statement.
mysql_real_escape_string($myValue)
Retrieving Into textbox in value. Assuming your values have been already retrieved from the database and now are in an array Called theValues. Basically I am Removing any backslashes but before hand I'm making sure it can be displayed correctly using htmlentities. Since you are no Backslashes in HTML that I know of it fixes it where servers replace quotes with \". If you do encounter some Back slashes in HTML you'll just have to be a bit more clever in your replacement function.
$myValue= str_replace("\\", "", htmlentities($theValues->myValue));
echo $myValue;
echoing out on to a page same reasons as above, but the htmlentities function Makes it only display the text of the HTML Instead of processing the HTML
str_replace("\\", "",$myValue)
Related
echo'<img src="'.$row['filename'].'" onmouseover="this.src='.$row['back_filename'].'" onmouseout="this.src='.$row['filename'].'" />';
I'm calling in 2 images from a database using mySql and php, How come this onmousover doesn't work?
ps. I'm calling a path to the image not storing the image in the database itself.
try this
echo'<img src="'.$row['filename'].'" onmouseover="this.src=\''.$row['back_filename'].'\'" onmouseout="this.src=\''.$row['filename'].'\'" />';
You are not providing the needed quotes for the inline javascript, you need single quotes '' around the filename as it is a string, causing whatever the variables hold to be interpreted by javascript as something other than what you expect.
Also use a heredoc to help with preventing errors caused by misquoting and worrying about escaping quotes.
echo <<<END
<img src="{$row['filename']}" onmouseover="this.src='{$row['back_filename']}'" onmouseout="this.src='{$row['filename']}'" />
END;
I have a basic CMS where a user can update a database of articles and it uses a simple set of BBCodes for some extra features.
Basically, the user inputs the article information into a HTML form, and then on the click of a "Publish" button, an AJAX request is sent to a PHP script on the server which uses Regex to convert the BBCodes to HTML, and then stores the info in the database using MySQL.
My problem is an unfortunate one, in that it has come immediately after solving another, and it is very hard to debug since it is a server side script and I am getting no error messages echoed at all.
I was having trouble with the Regex, specifically with more complicated tags. I managed to get [link=URL]FOOBAR[/link] tags to correctly match and then replace them with FOOBAR. For some reason, however, this now made the script either hang or fail or something because I'm not getting anything updated into the database when it contains [link] tags.
For the purposes of debugging earlier when I wanted to get the SQL working, I had the PHP script echo the return value of the mysql_query() function which I believe is a "1" when it is successful, and a "0" when it fails. Now, however, it simply returns nothing... and the HTTPRequest receives a 0 length string back.
Here is the code:
$post = $_POST['post'];
$regex = Array('#(\r?\n)#', '#(\[(\/?)(b|i|u)\])#', '#\[link=(http://(www.)?.*?)\](.*?)\[/link\]#', '#(\[youtube\][http://www.youtube.com/watch?v=]?(\w+)[&\w+]?\[/youtube\])#', '#(\[img\](http://[www.]?[\w+])\[/img\])#');
$regReplace = Array('<br />', '<$2$3>', '$3', '<div class="media"><iframe title="YouTube video player" width="560" height="315" src="http://www.youtube.com/embed/$2" frameborder="0" allowfullscreen></iframe></div>',
'<div class="media"><img width="560" src="$2" /></div>');
$post = preg_replace($regex, $regReplace, $post);
echo mysql_query('INSERT INTO News VALUES (NULL, "'.Date('D jS M').'", "'.Date('G:i').'", "'.$_POST['heading'].'", "'.$post.'")');
I am aware that the IMG and Youtube regexs don't work...
There are several issues here. The mentioned error stems from not escaping the quote in the parameter string with backslash + quote. Furthermore the SQL standard uses the single quote, so even if double quote is possible, it is better to use a single quote. And then there is a huge security leak, SQL injection, with which your site may be hacked (database and files displayed).
Look at prepared statements which also solves the quote escaping.
when i use stripslashes in php but i did not get the exact solution. I have menstion below which i used in my code those are
Example if i have the value in table like suresh\'s kuma\"r
i trying to display the value in the following three formats but no one is giving exact value
1) value=<?=stripslashes($row[1])?> //output is suresh's
2) value='<?=stripslashes($row[1])?>' //output is suresh
3) value="<?=stripslashes($row[1])?>" //output is suresh's kuma
But the exact output i need is suresh's kuma"r
let me know how to resolve the this issue?
The issue has nothing do to with stripslashes. If I guess correctly, the problem lies in the fact that in your examples quotes break the html field attribute;
I'll show you by manually echoing out your $row content as per your infos:
value=sures kumar --> leads to browser to interpret this as value="sures" kumar
value='suresh'khumar --> well, same story value='sures' khumar
value="Suresh"Khumar -->what can I say...you know the drill
Escaping the quotes won't affect html, since backslashes has no meaning in html.
Both value="Suresh" and value="Suresh\" will work fine for the browser, but your name will always be interpreted by the browser as some unknown attribute, leaving only the first part inside the value.
What you might do, instead, is apply htmlentities($row[1],ENT_QUOTES) so that they get converted in the equivalent entity ("e;,for ex.) and not break your value attribute. See manual.
Another issue is that you shouldn't be having backslashes in your database in the first place; this might be due to the presence of magic_quotes enabled in your provider, or you passing manually addslashes() or other wrong trickery. If you want to insert into a database values containing quotes, use the escaping mechanism provided by your database driver (mysql_real_escape_string() in mysql, for ex.), or better tools (preparated statements with query bindings).
You should first get rid of all the slashes using that stripslashes and re-saving back the content; but slashes or not, the issue would appear again if you don't format that appropriately for your html, as I showed above.
Are you sure you want stripslashes instead of addslashes? Is the purpose is to quote the " characters?
im letting my users type in texts, then take them to server side php and process them, and if everything goes as it should, i just append the text with jquery without the page having to load all over again.
This is the procedure:
$post_text = htmlspecialchars(mysql_real_escape_string($_POST['post_text']));
some logic...
everything ok!
stripslashes(str_replace("\\n", "", $post_text))
and then i send all the nessesary data witj json
echo json_encode($return);
on the client side i append the html chunk saved in a variable from the server side.
this seems to work on localhost, it removes all the slashes and so on, but online it just doenst remove the slashes, and they keep coming up, when i hit refresh they dissapear becouse then its a
stripslashes($comment['statusmsg_text'])
written out with php straight from the database. Is it the json that adds some extra stuff? i dont get it becouse it works perfectly on localhost.
best of regards,
alexander
The additional slashes might be magic quotes. You shouldn’t rely on them and disable them.
Additionally, mysql_real_escape_string should only be used to prepare strings to be put into a string context in an MySQL statement. Similar applies to htmlspecialchars that should only be used for sanitizing data to be put into an HTML context.
It may be, that on your server and your localhost the magic_quotes_gpc directive is set differently, so your string is double encoded on server side.
Try it without stripslashes, json_encode should handle that. All you need to do is use mysql_real_escape once, before your string touches your database.
I am facing an issue while uploading a formatted text/html to the db, things work fine under the WAMP but when doing in LAMP I an having the backslash added to the quotes
string(114) "<p>
<img alt=\"\" src=\"/ckfinder/userfiles/images/aboutkg.jpg\" style=\"width: 607px; height: 221px;\" /></p>
"
I am using a Zend_Form and ckeditor. And I am pretty sure I am missing something simple m what is it?
You might be missing PHP's magic_quotes_gpc option or its friend magic_quotes_runtime . When those are enabled, PHP automatically escapes all quotes that arrive via HTTP request or are retrieved from database and so on. It's a deprecated feature intended to prevent SQL injection. See Magic Quotes chapter in PHP manual.