I want to save html-formatted text to database, but when I do that it is don't save html-symbols like < / > ' and others
This is how I read article from database for editing:
<p class="Title">Англійський варіант:</p>
<textarea name="EN" cols="90" rows="20" value="<?php echo htmlentities($articleArr['EN'], ENT_QUOTES, "UTF-8"); ?>" ></textarea>
after this generates such html-code:
<p class="Title">Англійський варіант:</p>
<textarea name="EN" cols="90" rows="20" value="<p class='Title'> привыт </p>" ></textarea>
So, I expect that this text will appear in my text field, in html-code of this page it is, but in text area is no.
In database I save it as:
<p class="Title"> Hello </p>
So how can I do the follow:
Read from database
html-formattedtext.
Show it in textarea element.
Edit and save it back to database.
Help me please, how can I save such texts properly, Thanx!
Try using htmlspecialchars() on the string to put into the DB, and then, when pulling it back out, use htmlspecialchars_decode(). Might make a difference.
Save it to a nvarchar(max) field.
Make sure you use parameterized queries for security. Read
http://www.aspnet101.com/2007/03/parameterized-queries-in-asp-net/
http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/
with little changes to Sql , you can apply to Mysql aslo
there is no problem with save your html code in database. and no need for filter data before save .
but when you want to show it again in textarea you shoud Escape it.
in php you can use this code to escape html codes:
PHP Function
see doc: htmlspecialchars
$cotnent = htmlspecialchars( $cotnent );
Wordpress Functions:
see doc: format_to_edit
$cotnent = format_to_edit( $cotnent , false );
OR
see doc: esc_textarea
$cotnent = esc_textarea( $cotnent );
Related
I'm redesigning a site that's mainly static content, so a CMS is really not necessary. The only thing that changes is the 'events' page, which my client frequently updates. He does this now by going into the HTML, copying the tags of a previous event, changing whatever needs to be changed and uploading it back to the server. I want to make this easier for him (it's a pain in the a**, as he puts it), but without using a CMS I'm kind of lost.
Is there a way to have a form he can fill in (with place, date, etc.) and then display it on the proper page on submit? I'm thinking it should be possible with PHP but I don't know how to do it.
DEMO
The cleanest way to do this if you have PHP available is to set up a form that uses PHP to write to a text file, and then subsequent form posts would overwrite the same file. This is a very basic form created with the idea that the user would be the administrator. if this form was user facing to the public you would want toimplement a little more security.
You can format the output in the php script to match the site as needed.
Use this to read in the txt file on the page php file to display the text file:
<?php
readfile("Post.txt");
?>
HTML Form
<h1>Event Post </h1>
<form name="blogs" action="eventpost.php" method="post" enctype="multipart/form-data">
<label for="titlePost">Post Title </label>
<input type="text" name="titlePost">
<label for="commentPost">Comment: </label>
<textarea type="text" name="commentPost" rows="5" cols="35"></textarea>
<input type="submit" name="submitPost" width="200px" value="Submit"/>
</form>
PHP Script
<?php
global $output;
$title = $_POST['titlePost'];
$comment = $_POST['commentPost'];
$tagDate = date('l, M d, Y');
$content = "<div><h2>$title</h2><span class=\"dateStamp\"> $tagDate</span><br><br><span>$comment</span>\n</div><hr>\n\r\r";
$file = "Post.txt";
if($_POST['titlePost'] = !"" && $_POST['commentPost'] != ""){
if (isset($_POST['submitPost'])){
if (file_put_contents($file, $content) > 0){
$output = "The post titled <b>$title</b> was accepted. Here is what was posted:<br><br>$comment<hr><br>";
} else{
$output = "<em>Unfortunately ".$title."</em> did not post appropriately.";
}
} else {
$output = "Your form is not filled out <u>completely.</u>";
}
echo "<span>".$output."</span>";
}
?>
Set it all up like this:
<?
$EventIs = "Event name"
$EventDate = "date"
//etc...
?>
in your HTML:
<p><span class="eventName">Event: <? echo $EventIs ?></span><br />
<span class="eventDate">Date: <? echo $EventDate ?></span></p>
That's really oversimplifying it. But it gives you the basic idea. You guy can just edit the variables at the top of the file, and they will appear wherever you want in the code.
If you want these variables set from a post from a form, you will have to save those variables in your database. But that's the basic idea.
From a high level perspective, you could create a form for him to fill out which would, on the back end, store the form contents into a file or database. Then, on the front end, you would read in that file, or database, parse the content, and display it however you like. That's a very common thing to do using PHP.
I am writing an application where a user enters text into a textbox inside a form and the text is stored in a SQL db inside a MEDIUMTEXT field. I am testing right now so the table only has 2 field "1" for the index and "2" for the stored text.
<form method="post" action="index.php" enctype="multipart/form-data" >
<h3>Input Text Here</h3>
<textarea name="text" cols="40" rows="6" ></textarea><br/>
<input type="submit" value="Submit" />
</form>
The stored text then is retrieved in another page and displayed.
<?php
$query = "SELECT * FROM test_table WHERE 1='1'";
$result = mysql_query($query);
if (!$result) die ("Database access failed: " . mysql_error());
$results = mysql_fetch_array($result, MYSQL_ASSOC);
echo $results['2'];
if(isset($_POST['text'])) {
echo printText($_POST['text']);
function printText($txt) {
if(!empty($txt)) {
return $txt;
} else {
return 'You didn\'t write anything.';
}
}
}
?>
The problem is that when the text is displayed all the carriage returns disappear and multiple paragraphs become one.
Can anybody guide me in the appropriate direction? Should I be using regular expressions looking for carriage returns and marking them up? Is there a less search intense method? I tried nl2br(), but I guess you need actual \n entries for it to work.
I am writing this for someone to easily update a "news blub" on their landing page without having to use a text editor and writing code.
Thanks!
I tried nl2br(), but I guess you need actual \n entries for it to
work.
nl2br is the function you need. From the manual:
Returns string with '<br />' or '<br>' inserted before all newlines
(\r\n, \n\r, \n and \r).
If a user submits data with carriage returns then you will be getting "actual" \n entries (or one of the others mentioned in the manual description). Ensure you are calling it whenever you are echoing the pertinent text.
I created a text box as follows-
<textarea name ="textbox" rows="20" cols="50" id ="textbox" style="background-color: #000000; font-size:14.5px; font-family:arial; color:#FFFFFF;"> </textarea>';
In the PHP script,I am trying to get the contents of a file and then trying to populate the value field of the textbox as follows :
echo '<script> document.getElementById("textbox").value = "'.$final1.'";</script>';
where $final1 = file_get_contents(FILENAME);
I see that there is nothing populated in the value field and neither do i see any output when I try to echo this variable. I tried giving a variable say $test = "ABCD"; and populating this variable and it worked.
I know this has something to do with HTML special characters because my file has lot of special characters but I am not able to find a solution.
Kindly please help. Thanks!
If you problem is related to the file you load having special characters in to that html/javascript does not like try this
$final1 = htmlspecialchars( file_get_contents(FILENAME) );
echo '<script> document.getElementById("textbox").value = "'.$final1.'";</script>';
Morning,
I have created a small form to store some information to a database.
I have magic_quotes_gpc turned off on my server.
If i enter a " or a £ sign in the box is stores into the database without a worry.
When i echo it back with php it displays, but if i use the value in an input form field the " close the value field.
<input type="text" name="variable" value="<?php echo $row[variable]; ?>" />
I have now used htmlspecialchars around the input value and it works.
<input type="text" name="variable" value="<?php echo htmlspecialchars($row[variable]); ?>" />
But i have looked at open cart source as a reference and they do not use htmlspecialchars but store the data in a different way.
I tried using the urlencodes method they have used :
urlencode(html_entity_decode($_POST[variable],ENT_QUOTES, 'UTF-8'));
but this seems to store as a lot of numbers and + signs which did not display back correctly.
I would rather encode the update database instead of using the method i am with htmlspecialschars.
But not quite sure which way would be best?
Thank You
you may use
htmlentities() function in php
Perhaps try mysqli_real_escape_string($dblink, $string) instead of htmlspecialchars
For storing the HTML Character change the charters and then store them:
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
To get back the correct HTML Character do the decoding as:
<?php
$str = "<p>this -> "</p>\n";
echo htmlspecialchars_decode($str);
// note that here the quotes aren't converted
echo htmlspecialchars_decode($str, ENT_NOQUOTES);
?>
For more information refer to http://www.php.net/manual/en/function.htmlspecialchars.php
I use ckeditor in admin panel but in user submit form use simple textbox so user can input text and submit. Problem is when user enter text in textarea with Line Breaks it saves as it in SQL. I want to add BR after each line in sql.
For Example User Submits:
![F.R.I.E.N.D.S.:
(F)ight for you.
(R)espect you.
(I)nvolve you.
(E)ncourage you.
(N)eed you.
(D)eserve you and
(S)tand by you.][1]![SCREENSHOT oF DB SAVE][2]
got saved in DB as it with next line showing in output. But I want to save in DB as:
F.R.I.E.N.D.S.:<br />
(F)ight for you.<br />
(R)espect you.<br />
(I)nvolve you.<br />
(E)ncourage you.<br />
(N)eed you.<br />
(D)eserve you and<br />
(S)tand by you.
I use nl2br but its not working on user submit form If I use nl2br on admin processing form then on those fields already added with ckeditor it adds two BR tags.
Code used on user submit form is:
<textarea name="content" id="content" cols="60" rows="10" class="span7"><?php if(isset($content)) { echo $content; } ?></textarea>
$content = trim($_POST["content"])
$content = mysql_real_escape_string($content);
$content = nl2br($content);
No processing is used on admin approval form where ckeditor used on textarea. Text output from DB appears without Line Breaks in a single line in ckeditor.
if I use nl2br while output on this form it works but adds double BRs on earlier text posted through ckeditor.
also tried $content = preg_replace("/\r\n|\r/", "<br />", $content); as suggested by some one on stackoverflow on similar question
pls suggest me some function for this problem.
also suggest If I need to use some function like htmlentities or stripslashes to process content before Inserting into SQL.
Just replace the new line \r\n, \r first, then trim it.
$content = preg_replace("/\r\n|\r/", "<br />", $_POST["content"]);
$content = trim($content])
Or:
$content = nl2br($_POST["content"]);
$content = trim($content)
Good luck.
You need to use nl2br for displaying the value, whenever you need it, not for saving it.