 Letting Users Add Mysql Data With Php |
|
|
|
|
  |
 Mar 16 2008, 02:12 PM
Post
#1
|
|
|
Premium Member  Group: [HOSTED] Posts: 223 Joined: 30-June 07 Member No.: 23,045  |
I'm curious as to the best methods of letting users submit data to a MySQL database, displaying that data, and removing any unwanted tags etc. from it.
Currently, there's a handful of PHP functions that I know of to help with this:
 ).Take this forum, as an example. I can quite happily type things such as "<b>foobar</b>" and they display exactly as entered. The quotation marks are left in, the bold tags are displayed, but not carried out. All formatting such as using bold text is done on the user's side with BB Code, which uses square brackets. For now, however, I want to leave this additional formatting alone, and just show precisely what's typed in. So, back to the textarea idea, let's say we have a form as below: CODE <fieldset> <legend>Update Text</legend> <form action="update_text.php" method="post"> <textarea cols="100" rows="10" name="text"></textarea><br /> <input type="submit" name="update" value="Update" /> </form> </fieldset> So whatever the user types in is sent (via POST) to the script update_text.php. In that file we want to store it in a MySQL database. Given that we have a method of identifying the user by an ID (via sessions, most likely), and that the required file connects to the database. CODE ... // process input $text = $_POST['text']; // access database require('includes/db.php'); mysql_query('UPDATE members SET text = "' . mysql_real_escape_string($text) . '" WHERE id = "' . mysql_real_escape_string($id) . '"') or die(mysql_error()); ... So, correct me if I'm wrong, but that would store the text so it can be recovered as entered? Newlines ("\n") would be put in, naturally, and any relevant characters would be escaped so that they're stored in MySQL correctly, and the possibility of SQL injection here would be low, right? The data would now be stored, theoretically exactly as inputted. If we want to get that data back out, so that it's shown by default in the form we could do so as shown below: CODE ... // access database require('includes/db.php'); $getMember = mysql_query('SELECT text FROM members WHERE id = "' . mysql_real_escape_string($id) . '"') or die(mysql_error()); if (mysql_num_rows($getMember) == 1) { // member found $row = mysql_fetch_array($getMember); $currentText = htmlspecialchars($row['text']); } ... ...and then echo $currentText between the textarea tags in the form? htmlspecialchars() would need to be used, I believe, to stop people from closing the textarea early themselves and going on to do anything else they want. I'm pretty sure no other functions in the list above need to be used, but I'd like to confirm that. Then, when displaying the text (i.e. not in the textarea), I assume something like this could be used: CODE ... // access database require('includes/db.php'); $getMember = mysql_query('SELECT text FROM members WHERE id = "' . mysql_real_escape_string($id) . '"') or die(mysql_error()); if (mysql_num_rows($getMember) == 1) { // member found $row = mysql_fetch_array($getMember); $text = nl2br(htmlspecialchars($row['text'])); } ... ...which is identical to the previous method except for the use of nl2br() as well. Note that it's used after htmlspecialchars(), as otherwise the "<br />" tags would else be converted to "<br />" afterwards. Would any other functions need to be used, or would that simply do the job to a high enough level of security and still give the desired result? Thanks in advance for any feedback or comments, Mordent This post has been edited by Mordent: Mar 16 2008, 06:37 PM |
 |
 
|
|
Apr 19 2008, 07:52 AM
Post
#2
|
|
|
Member [ Level 1 ] Group: [HOSTED] Posts: 40 Joined: 17-April 08 Member No.: 29,853 |
I'm afraid I can't give you a very clear answer, but htmlspecialchars () would effectively remove anything that could be maliciously (bad choice of word) interpreted in HTML.. So as far as security goes, you're fine. Now we just have to worry about formatting. Essentially, the <pre> tag would make text appear exactly as shown, so we just have to think about what the <pre> tag really does.
So it turns out the <pre> tag simply treats newlines and spaces as they are entered. So we just have to format those. nl2br () would take care of the newlines, but the spaces are still unaccounted for. But this may be a simple matter... we wouldn't be able to use a regular expression to replace multiple spaces with if there were tags in the midst--[i]since <a href=""> is the same as <a href=""> and not <a href="">--HOWEVER there are no tags here! Text is being displayed exactly as it is. So we have a regular expression: (\s{2,}) Also... I just remembered... we have to watch out for tabs, too. Tabs (unfortunately) cannot be forced to print as a space can with , but you can use to make it slightly more html-friendly. So my final answer would be: CODE <?php $text = 'your mysql variable'; $text = htmlspecialchars ($text); $text = preg_replace_callback ('/(\x20{2,})/', create_function ('$matches', '$list = false; for ($i = 0; $i < strlen ($matches[1]); $i++) $list .= \' \'; return $lsit;'), $text); $text = preg_replace_callback ('/(\x09{2,})/', create_function ('$matches', '$list = false; for ($i = 0; $i < strlen ($matches[1]); $i++) $list .= \' \'; return $list;'), $text); $text = nl2br ($text); echo $text; ?> That would work. My create_function is slightly sloppy, so you might want to fix that up if you can find a better way haha.. P.S. The only way you could "make tabs format" is if you decided to replace each tab with, say, 5 spaces. It's not the same idea as the tab (since a tab has variable space) but it's close. That would be this: CODE $text = preg_replace_callback ('/(\x09{2,})/', create_function ('$matches', '$list = false; for ($i = 0; $i < 5 * strlen ($matches[1]); $i++) $list .= \' \'; return $list;'), $text); Hope this helps!!! - Jared |
|
|
|
|
Similar Topics
|
Lo-Fi Version | Time is now: 6th September 2008 - 06:00 PM |