Virtual_Skippy Posted May 5, 2011 Share Posted May 5, 2011 Hello there folks. Hope your all great. After reading Effortless Ecommerce a few times I decided to try out some of the instructions in this great book to help me create my own website. I'm having an issue with mysqli_real_escape_string though. This is the first time I've used this piece of code and I'm not entirely familiar with how it works. I've set up a website where I can post my own blog and games that I make. Using the code from the book I've managed to create a few admin pages that let me add, edit and delete this content, with the results being displayed to anyone who visits the website and browses through normally. Unfortunatly whenever I add some kind of punctuation to text such as you'll or it'll it gets formatted as you\'ll and it\'ll. The second issue I have revolves around inserting hyperlinks, image or any other tag into a blog entry. the Javascript plugin (tiny_mce) accepts the image but when I submitted to my database ''quo//' and // get included to prevent the tags from working. Great as a security measure, but my understanding of the code in the Ecommerce book is that I can allow these tags to be ignored so images, hyperlinks etc work. If anyone can shed any light on how I can resolve these two issues I will greatly appreciate it. For reference I am using a 1&1 web hosting Business package with a shared server with magic_quotes enabled (however I can change my php.ini to disable it if I choose by uploading my own php.ini to my root folder). The results I want to achieve are displaying text normally without any slashes and to stop slashes and tags being stripped so that hyperlinks and images will display correctly. An example of the code I am using that allows tags (taken directly from the book) // Check for the copyright: if (!empty($_POST['copyright'])) { $allowed = '<div><p><span><br><a><img><h1><h2><h3><h4><ul><ol><li><blockquote>'; $copy = mysqli_real_escape_string($dbc, strip_tags($_POST['copyright'], $allowed)); } else { $add_mp4_errors['copyright'] = 'Please enter the copyright info!'; } An example of the code I am using that just accepts text (again taken directly from the book) // Check for a author: if (!empty($_POST['author'])) { $a = mysqli_real_escape_string($dbc, strip_tags($_POST['author'])); } else { $add_mp4_errors['author'] = 'Please enter the author!'; } Spent 6 hours thinking of a solution this afternoon, so any help will be greatly appreciated. Many thanks Skippy Link to comment Share on other sites More sharing options...
Paul Swanson Posted May 5, 2011 Share Posted May 5, 2011 I don't use TinyMCE, so I can't help you with that one, but in regards to the escaped quotes (and it's important to escape values before using them in a query), when printing values extracted from a database, simply use the stripslashes() function to remove the escape character. Example: $string = "Hey, how's it going?"; $escaped = mysqli_real_escape_string ($dbc, $string); // = Hey, how\'s it going? echo stripslashes ($escaped); // = Hey, how's it going? 1 Link to comment Share on other sites More sharing options...
Virtual_Skippy Posted May 5, 2011 Author Share Posted May 5, 2011 Ah fantastic. That one extra line of code makes the code so much easier to understand. Thank you so much for that. Really appreciate it . I'll implement the extra line of code and see what results Tiny_Mce throws back at me. I don't really think it has anything to do with the actual javascript plugin, more likely that the tags that have been allowed are somehow getting rewritten before it gets stored in the database. Then again I have noticed that tiny_mce does seem to enjoy adding extra ../'s to all types of tags. If anyone else has noticed this and managed to find a work around I think that may solve the <a href src = "quot: problem. Thanks for your help again Link to comment Share on other sites More sharing options...
Virtual_Skippy Posted May 6, 2011 Author Share Posted May 6, 2011 adding the slashes function seemed to isnpire me to find a solution to the tags issue I had while using tiny_mce. An example to the solution which correctly displays text is shown below // Check for the copyright: if (!empty($_POST['copyright'])) { $allowed = '<p><br><a><img>'; $copy = stripslashes(str_replace('\r\n', '', mysqli_real_escape_string($dbc, strip_tags($_POST['copyright'], $allowed)))); } else { $add_mp4_errors['copyright'] = 'Please enter the copyright info!'; } mysqli_real_escape is used to prevent any injection directly into the database. Stripslashes is used to remove the slashes to make it easy to read for any would people who visit the website. Unfortunately tiny_mce includes auto page breakes everytime you hit return on your keybaord, which when stripped of tags shows up as 'rn' in any displayed text. To overcome this str_replace('\r\n', ' is used to remove these evil rn text before the slashes are stripped and replaced with a blank space. This, while preventing any kind of security issues involved with updating and inserting data into a database, outputs any of your content the way it should be seen to a web browser. Hope that helps some people too, and thanks again for pointing me in the right direction to get me started All the best Skippy www.thelegendofskippy.com Link to comment Share on other sites More sharing options...
Recommended Posts