...

View Full Version : Stripslashes or Htmlspecialchars??



gc40
08-24-2007, 01:36 PM
Greetings All,
I wrote a script to update my news article. However, when I go to edit the title and news, if a ' exist, then the update fails. I know from previous work, that either slipslashes or htmlspecialchars should do the trick, I am just not sure which one, or where to put them.

Would anyone be able to point me in the right direction of where I should include these statements... or if you have an alternative fix, please post.

Keep in mind that I can update articles once the article Title or News body doesn't contain a ' inside of the content. Once a ' exist, then it crashes the script and nothing updates.

Here is the script below:



<script language="javascript" type="text/javascript" src="jscripts/tiny_mce/tiny_mce.js"></script>
<script language="javascript" type="text/javascript">
// Notice: The simple theme does not use all options some of them are limited to the advanced theme
tinyMCE.init({
mode : "textareas",
theme : "simple"
});
</script>
<?php
//error_reporting(E_ALL);
include ("../class/config.php");
$today = date("Y-m-d");

$submit=$_REQUEST['submit'];
$id=$_REQUEST['id'];
$del=$_REQUEST['del'];
$year=$_REQUEST['year'];
$month=$_REQUEST['month'];
$day=$_REQUEST['day'];

if(isset($submit))
{
$fulldate = $year . "-" . $month . "-" . $date;

if($submit == 'Delete')
{
$sql = "delete from news_saxon_saxon where NEWSID = '$id'";

$result = mysql_query($sql, $db);

if($result)
{
echo("The news article was deleted successfully.");
echo("<form action='news_admin_index.php?action=editnews' method='POST'><p>");
echo("<input type='submit' name='submit' value='OK' class=\"submit button\"></form)");
}

}

else if($submit == 'Update')
{
$news=$_POST['NEWS'];
$title=$_POST['TITLE'];
$postdate = $year."-".$month."-".$day;
$sql = "update news_saxon_saxon set TITLE='$title',NEWS='$news', Date='$postdate' where NEWSID='$id'";

$result = mysql_query($sql, $db);
if($result)
{
echo "$sql";
echo("The news article was updated successfully.");
echo("<form action='news_admin_index.php?action=editnews' method='POST' onSubmit='fnsubmit()'>");
echo("<input type='submit' name='submit' value='OK' class=\"submit button\"></form)");
}

}



else if (($submit == 'Cancel') || ($submit == 'OK'))
{ //header("Location:http://www.bviddm.com/control/nav_index.php?action=editstory");
?>
<script language="Javascript" type="text/javascript">
document.location.href='news_admin_index.php?action=editnews'
</script>
<?
}
}


else
{

if(isset($del))
{
$sql = "select * from news_saxon_saxon where NEWSID = '$id'";
$navset = mysql_query($sql, $db);
$onenav = mysql_fetch_object($navset);
echo("Are you sure you want to delete this news article ");
echo($onenav->NEWSID);
echo("?");
echo("<form action='news_admin_index.php?action=editnews' method='POST' onSubmit='fnsubmit()'>");
echo("<input type='hidden' name='id' value=" . $onenav->NEWSID . ">");
echo("<table><tr><td><input type='submit' name='submit' value='Delete' class=\"submit button\"></td><td><input type='submit' name='submit' value='Cancel' class=\"submit button\"></td></tr></table></form)");
}
else
{
if(isset($id))
{
$sql = "select * from news_saxon_saxon where NEWSID = '$id'";
$postdate = $year."-".$month."-".$day;
$navset = mysql_query($sql, $db);
$onenav = mysql_fetch_object($navset);
//list($year, $month, $day) = explode ("-", $row['DATE']);
list($year, $month, $day) = explode ("-", date("Y-m-d"));
?>
<form action= "news_admin_index.php?action=editnews" method="post">
<input type='hidden' name='id' value=<?php echo($id); ?>>
<table>
<tr><td>Day:</td><td>
<select name="day" id="day" value=<?php echo($day); ?>>
<?php
for ($i = 1; $i <= 31; $i++)
{
if ($i == $day) echo "<option value=\"$i\" selected=\"selected\">$i</option>\n";
else echo "<option value=\"$i\">$i</option>\n";
}
?>
</select>
</td>
</tr>
<tr>
<td>Month:</td><td>
<select name="month" id="month" value=<?php echo($month); ?>>
<?php
$monthList=array(
1 => "January",
2 => "February",
3 => "March",
4 => "April",
5 => "May",
6 => "June",
7 => "July",
8 => "August",
9 => "September",
10 => "October",
11 => "November",
12 => "December");

foreach($monthList as $code => $monthname)
{
if ($code == $month) echo "<option value=\"$code\" selected=\"selected\">$monthname</option>\n";
else echo "<option value=\"$code\">$monthname</option>\n";

}
?>
</select>
</td></tr>
<tr>
<td>Year:</td><td>
<select name="year" id="year" value=<?php echo($year); ?>>
<?php
$this_year = date("Y");
for ($i = $this_year; $i <= $this_year+10; $i++)
{
if ($i == $year) echo "<option value=\"$i\" selected=\"selected\">$i</option>\n";
else echo "<option value=\"$i\">$i</option>\n";
}
?>
</select><?php $postdate = $year."-".$month."-".$day;?></td>
</tr> <tr><td>Title</td><td><input type="text" name="TITLE" value=<?php echo($onenav->TITLE);?>></td></tr>
<tr><td>News</td><td><textarea name="NEWS" id="NEWS"><?php echo($onenav->NEWS);?></textarea></td></tr>
<tr><td colspan="2"><input type="submit" value="Update" name="submit" class="submit button"></td></tr>
</table>
</form>
<?php
}

else
{
?>

<table width="100%">
<tr><th class='right_title'>Date</th><th class='right_title'>Title</th>
<th colspan=2><center>Action</center></th></tr>

<?php

$navquery = "select * from news_saxon_saxon";

$navresult = mysql_query($navquery);
while ($row = mysql_fetch_object($navresult))
{
echo ("<tr>"."<td>".$row->DATE."</td>"."<td>".$row->TITLE."</td>");

echo("<td>"."<p align='center'>"."<a href='news_admin_index.php?action=editnews&id=$row->NEWSID'>"."<img src='..\images\button_edit.png' border='0' alt="."Edit".">"."</td>".
"<td><p align='center'>"."<a href='news_admin_index.php?action=editnews&id=$row->NEWSID&del=$row->NEWSID'>"."<img src='..\images\button_drop.png' border='0' alt="."Delete"."></td></tr>");
}

}
?>


</table>
<?php

}} ?>

Nightfire
08-24-2007, 01:45 PM
You want addslashes() (http://php.net/addslashes)

gc40
08-24-2007, 01:53 PM
You want addslashes() (http://php.net/addslashes)


Where would I add them, and what should I type? Can you give me an example using my code...

usik
08-24-2007, 01:56 PM
replace the $sql variable with the following


$sql = sprintf("update news_saxon_saxon set TITLE='%s',NEWS='%s', Date='$postdate' where NEWSID='$id'",
mysql_real_escape_string($title),
mysql_real_escape_string($news)
);



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum