PHP Forum

**robterrace** · 07:01 AM

I've sorted out last nights problem with the sql error, and I've now encountered another.

I'm trying to edit the news I created on my site, and on selecting it to edit, I can see the html code showing up (mainly line breaks). But after editing and pressing submit, it loses all of the HTML that was originally in there, and even going in and redoing it doesn't help...

Heres the code...

PHP Code:


			
<?php mysql_connect ('localhost', '******', '******') ;
    mysql_select_db ('******');
if (isset($_POST['update'])) {

    $id = htmlspecialchars(strip_tags($_POST['id']));
    $month = htmlspecialchars(strip_tags($_POST['month']));
    $date = htmlspecialchars(strip_tags($_POST['date']));
    $year = htmlspecialchars(strip_tags($_POST['year']));
    $time = htmlspecialchars(strip_tags($_POST['time']));
    $summary = htmlspecialchars(strip_tags($_POST['summary']));
    $entry = htmlspecialchars(strip_tags($_POST['entry']));
    $title = htmlspecialchars(strip_tags($_POST['title']));

    $timestamp = strtotime ($month . " " . $date . " " . $year . " " . $time);

    $result = mysql_query("UPDATE php_news SET timestamp='$timestamp', title='$title', summary='$summary', entry='$entry' WHERE id='$id' LIMIT 1") or print ("Can't update entry.<br />" . $sql . "<br />" . mysql_error());

    header("Location: news.php?id=" . $id);
    
}

if (isset($_POST['delete'])) {
    $id = (int)$_POST['id'];
    $result = mysql_query("DELETE FROM php_news WHERE id='$id'") or print ("Can't delete entry.<br />" . $sql . "<br />" . mysql_error());
    if ($result != false) {
        print "The entry has been successfully deleted from the database.";
        exit;
    }
}

if (!isset($_GET['id']) || empty($_GET['id']) || !is_numeric($_GET['id'])) {
    die("Invalid entry ID.");
}
else {
    $id = (int)$_GET['id'];
}

$result = mysql_query ("SELECT * FROM php_news WHERE id='$id'") or print ("Can't select entry.<br />" . $sql . "<br />" . mysql_error());

while ($row = mysql_fetch_array($result)) {
    $old_timestamp = $row['timestamp'];
    $old_title = $row['title'];
    $old_summary = $row['summary'];
    $old_entry = $row['entry'];
    $old_title = str_replace('"','\'',$old_title);
    $old_month = date("F",$old_timestamp);
    $old_date = date("d",$old_timestamp);
    $old_year = date("Y",$old_timestamp);
    $old_time = date("H:i",$old_timestamp);
}
?>

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

<p><input type="hidden" name="id" value="<?php echo $id; ?>" />

<strong><label for="month">Date (month, day, year):</label></strong> 

<select name="month">
<option value="<?php echo $old_month; ?>"><?php echo $old_month; ?></option>
<option value="January">January</option>
<option value="February">February</option>
<option value="March">March</option>
<option value="April">April</option>
<option value="May">May</option>
<option value="June">June</option>
<option value="July">July</option>
<option value="August">August</option>
<option value="September">September</option>
<option value="October">October</option>
<option value="November">November</option>
<option value="December">December</option>
</select>

<input type="text" name="date" size="2" value="<?php echo $old_date; ?>" />

<select name="year">
<option value="<?php echo $old_year; ?>"><?php echo $old_year; ?></option>
<option value="2006">2006</option>
<option value="2007">2007</option>
<option value="2008">2008</option>
<option value="2009">2008</option>
<option value="2010">2010</option>
</select>

<strong><label for="time">Time:</label></strong> <input type="text" name="time" size="5" value="<?php echo $old_time; ?>" /></p>

<p><strong><label for="title">Title:</label></strong> <input type="text" name="title" value="<?php echo $old_title; ?>" size="40" /> </p>
<p><textarea cols="80" rows="8" name="summary"><?php echo $old_summary; ?></textarea></p>
<p><textarea cols="80" rows="20" name="entry"><?php echo $old_entry; ?></textarea></p>

<p><input type="submit" name="update" value="Update"></p>

</form>

**Crimson** · 04-25-2006, 09:06 PM

Hmmm...I see you call strip_tags() a bunch of times in your update code, and that should be removing all HTML from each of the variables you pass to it, the id, the entry, the title, etc.

Additionally, you're then calling htmlspecialchars() on each variable, which is changing all HTML-centric characters such as "<" and ">" to their respective entities. If any tags get passed strip_tags(), this will furthur keep them from working.

These lines are likely stripping all HTML from your entries before they're added to your MySQL database:

Code:

    $id = htmlspecialchars(strip_tags($_POST['id']));
    $month = htmlspecialchars(strip_tags($_POST['month']));
    $date = htmlspecialchars(strip_tags($_POST['date']));
    $year = htmlspecialchars(strip_tags($_POST['year']));
    $time = htmlspecialchars(strip_tags($_POST['time']));
    $summary = htmlspecialchars(strip_tags($_POST['summary']));
    $entry = htmlspecialchars(strip_tags($_POST['entry']));
    $title = htmlspecialchars(strip_tags($_POST['title']));

**rab** · 04-25-2006, 09:29 PM

If your trying to filter out the "<" ">" ..ect then convert it to its html form.

**robterrace** · 04:27 AM

Quote:

Originally Posted by Crimson

Hmmm...I see you call strip_tags() a bunch of times in your update code, and that should be removing all HTML from each of the variables you pass to it, the id, the entry, the title, etc.

Additionally, you're then calling htmlspecialchars() on each variable, which is changing all HTML-centric characters such as "<" and ">" to their respective entities. If any tags get passed strip_tags(), this will furthur keep them from working.

These lines are likely stripping all HTML from your entries before they're added to your MySQL database:

Code:

    $id = htmlspecialchars(strip_tags($_POST['id']));
    $month = htmlspecialchars(strip_tags($_POST['month']));
    $date = htmlspecialchars(strip_tags($_POST['date']));
    $year = htmlspecialchars(strip_tags($_POST['year']));
    $time = htmlspecialchars(strip_tags($_POST['time']));
    $summary = htmlspecialchars(strip_tags($_POST['summary']));
    $entry = htmlspecialchars(strip_tags($_POST['entry']));
    $title = htmlspecialchars(strip_tags($_POST['title']));

Sorted, just had to get rid of the strip_tags and specialchars...
So this bit now looks like this...

Code:

    $id = htmlspecialchars(strip_tags($_POST['id']));
    $month = htmlspecialchars(strip_tags($_POST['month']));
    $date = htmlspecialchars(strip_tags($_POST['date']));
    $year = htmlspecialchars(strip_tags($_POST['year']));
    $time = htmlspecialchars(strip_tags($_POST['time']));
    $summary = (($_POST['summary']));
    $entry = (($_POST['entry']));
    $title = htmlspecialchars(strip_tags($_POST['title']));