I am writing a simple cms-like solution to keep track of my silly ideas. Everything is going great, but I am now having some difficulties implementing the Xinha RTE plugin into my application.
I have followed their on-site tutorial, and it seems to be working but...
When making formatting to a text, headings paragraphs etc. Though the tags are saved correctly in the mysql database:
<h1>heading</h1>
<p>text example</p>
they are displayed as:
<h1>heading</h1><p>text example</p> (concatenated and NOT formatted , displaying tags in stead)
or
<p>tesy</p> <h4>fgfg<br /></h4> <h2> </h2>
the last example output is because I made this change:
//$postCon = mysql_real_escape_string($postCon);
$postCon = htmlspecialchars($postCon);
That was only because someone at their forum said that it would be "dumb" to escape html special chars - since html tags are made up of them.
I have a really hard time specifying the actual problem. hence my question is a little sloppy. I hope that some out there have been where I am now, and can provide some explanation or guidance in the right direction.
I will go drink coffee and ponder on this for now, and bring updates if I got anything new. For now I will just leave you with the actual script which does the post handling.
thanks,
<?php
include_once 'bin/configDb.php';
include_once 'bin/connectDb.php';
include_once 'header.php';
//get stuff from post
$topicSub = $_POST['topic_subject'];
//$topicSub = mysql_real_escape_string($topicSub);
$topicSub = htmlspecialchars($topicSub);
$topicCat = $_POST['topicCat'];
// $topicCat = mysql_real_escape_string($topicCat);
$sesId = $_GET['username'];
//the form has been posted, so save it
//insert the topic into the topics table first, then we'll save the post into the posts table
$postCon = $_POST['post_content'];
//$postCon = mysql_real_escape_string($postCon);
$postCon = htmlspecialchars($postCon);
$sql = "INSERT INTO
topics(topic_subject, topic_date, topic_cat, topic_by)
VALUES('$topicSub', NOW(), '$topicCat', '$sesId' )";
$result = mysql_query($sql);
if(!$result)
{
//something went wrong, display the error
echo 'An error occured while inserting your data. Please try again later.' . mysql_error();
$sql = "ROLLBACK;";
$result = mysql_query($sql);
}
else
{
//the first query worked, now start the second, posts query
//retrieve the id of the freshly created topic for usage in the posts query
$topicId = mysql_insert_id();
$sql = "INSERT INTO
posts(post_content,
post_date,
post_topic,
post_by)
VALUES
('$postCon', NOW(), '$topicId', '$sesId' )";
$result = mysql_query($sql);
if(!$result)
{
//something went wrong, display the error
echo 'An error occured while inserting your post. Please try again later.' . mysql_error();
$sql = "ROLLBACK;";
$result = mysql_query($sql);
}
else
{
$sql = "COMMIT;";
$result = mysql_query($sql);
//after a lot of work, the query succeeded!
echo 'You have successfully created <a href="topic.php?id='. $topicid . '">your new topic</a>.';
header("location:admin.php");
}
}
include_once 'footer.php';
?>
You've missed the purpose of mysql_real_escape_string. It's there to make arbitrary string data SAFE to use in an SQL query. It's an SQL injection attack prevention method. htmlspecialchars will not help at all to prevent SQL injection attacks. You're using a screwdriver to drive in a nail. It may work in some cases, but won't ever cover all the cases. And it's those "uncovered" cases that will allow someone to attack your site by waltzing in through the front door.
I found the issue to be in a completely different area of the code. It was in the code that displayed the content, silly me. It was a htmlentities(stripslashes())
doing the funny business.
Thanks for letting me put it out there.
Marc B, thanks for once again dealing with my sql injection issues. Feel free to pitch more recommendations my way. I did take your last advice into use :) personal thanks to you