I recently added a news system that uses myysql/php, it works perfectly, but it gives some errors when adding html.
For example if I add a youtube video it will add / or \
What do I change on the codes below to store html into database?
This is what the HTML ends up looking like after:
This may be nothing more than some unstripped slashes. It appears you are escaping slashes before saving the data (good job!), but you don't appear to be removing those slashes when you go to show the data. Try the following out when echoing:
echo stripslashes( $myrow['title'] );
You most likely got magic quotes enabled. If so you should check for this and stripslashes accordingly.
function magic_quotes_strip($value){
if(get_magic_quotes_gpc()){
if(is_array($value)){
return array_map('stripslashes',$value);
}else{
return stripslashes($value);
}
}else{
return $value;
}
}
//Strip all slashes from post array before handling
$_POST = magic_quotes_strip($_POST);
Then do your normal mysql escaping before input, without the worry of double escaping:
$title = mysql_escape_string($_POST['title']);
Notes:
PHP_SELF is a XSS vulnerability you should htmlentites that or remove it so its just action=""
$_SESSION[usr_name] your using usr_name as a constant it should be $_SESSION['usr_name']
There is a some place in your code that does add excessive slashes for no reason.
You have to find this place and remove excessive slashing.
This could be a notorious magic_quotes_gpc ini setting. You have to either turn it off or, if you can't, strip these useless slashes at the very top of your configuration file, using the code from the link above.
This could be some silly useless "ultimate cleanup function". You have to find it and remove slashing from it.
This could be somewhere else, say inside of the generate_wysiwyg() function or anything.
Remember: doing just stripslashes() is but an ugly crutch, correcting your data only in one place, leaving it spoiled elsewhere.