I have a page that my members can publish a new post or update the post. I got the the post content from tinymce editor. Everything works fine but when my content involes new line(s) or free spaces like <p> </p> or <div> </div>, it causes a problem. php-prepared statement only save the content before these tags not whole content. For example,
<div><strong>Lorem Ipsum</strong> is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.</div>
<div> </div>
<div>It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English. Many desktop publishing packages and web page editors now use Lorem Ipsum as their default model text, and a search for 'lorem ipsum' will uncover many web sites still in their infancy. Various versions have evolved over the years, sometimes by accident, sometimes on purpose (injected humour and the like).</div>
It saves or updates only this part:
<div><strong>Lorem Ipsum</strong> is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.</div>
And this is the my php-prepared statement php code:
function createNewPost($post){
$cmd = "INSERT INTO posts(post_title,post_content,post_author,post_category,post_date,post_status) VALUES (?,?,?,?,?,?)";
$mysqli = connectDB();
$stmt = $mysqli->prepare($cmd);
$stmt->bind_param("ssiiss",$post["title"],$post["content"],$post["author"],$post["category"],$post["date"],$post["status"]);
$stmt->execute();
$count = $stmt->affected_rows;
$stmt->close();
if($count > 0)
return true;
else
return false;
I suppose that the problem is "&" character. When prepare function reads that char, it might see it is dangerous and clear all html code after that part and returns to me the before <p> </p> part ?
$post["content"] // I checked this variable.It has the whole content.
Edit: I forget to mention I am sending those datas via jquery post method even the data type is "text" and ajax-url get the whole text it again cuts off after "&" char.
jQuery Code:
$('#submitPost').click(function(){
var str = $('#postForm').serialize();
str += "&editorContent=" + tinyMCE.activeEditor.getContent() + "&postDate=" + $('#labelDate').html();
str += "&postID=" + "<?php echo $_GET["id"]; ?>";
$.post("ajax-update-post.php", str,
function(data){
$('#submitPost').attr("disabled",false);
$('#submitPost').html("Update");
$('#info').html(data);
$('#info').slideDown("slow");
//setTimeout(function(){ $('#info').slideUp("slow"); }, 3000);
},"text"
);
I solved my problem by changing the getting value of tinymce. I html data in jquery to another textarea and then getting serialize from new textarea.
You may need to use htmlspecialchars function in php before inserting the actual data to the database
$sample = htmlspecialchars("<a href='test'>the string to be inserted</a>", ENT_QUOTES);
then if you want to decode that data use htmlspecialchars_decode
echo htmlspecialchars_decode($sample);
or you may try to use htmlentities before inserting string html and html_entity_decode() for decoding it.
Example
$orig = "I'll \"walk\" the <b>dog</b> now";
$a = htmlentities($orig);
$b = html_entity_decode($a);
echo $a; // I'll "walk" the <b>dog</b> now
echo $b; // I'll "walk" the <b>dog</b> now
so in your case try to play with it.
$cmd = "INSERT INTO posts(post_title,post_content,post_author,post_category,post_date,post_status) VALUES (?,?,?,?,?,?)";
$mysqli = connectDB();
$stmt = $mysqli->prepare($cmd);
$content = htmlentities($post["content"]);
$stmt->bind_param("ssiiss",$post["title"],$content,$post["author"],$post["category"],$post["date"],$post["status"]);
$stmt->execute();
$count = $stmt->affected_rows;
$stmt->close();
//try to echo it out
echo $post["content"]."<br/>";
echo $content;
if($count > 0)
return true;
else
return false;
I hope that helps you.