...

View Full Version : PHP saving file, but adding slashes...



martynball
01-27-2010, 07:40 PM
I have managed to get PHP to save form data to a file, but it is automatically adding slashes to quotation marks ect..

How can I stop this?



//Check page has been opened using link
if ($pageTopic != "") {
}
else {
echo "URl variable not set, please load page using given link, <a href=\"index.php\">Back!</a>";
}
$theData = "../includes/$pageTopic"."Content.txt";
//Edit page
if (isset($_POST['saveFile'])) {
// Filename
$myFile = "../includes/$pageTopic"."Content.txt";
$fh = fopen($myFile, 'w') or die("can't open file");
//Get form data
$stringData = $_POST['content'];
//Write to file and close
fwrite($fh, $stringData);
fclose($fh);
}

JAY6390
01-27-2010, 07:42 PM
You have magic quotes turned on. Just use the stripslashes() (http://www.php.net/stripslashes) function

martynball
01-27-2010, 08:13 PM
I may need to add slashes though as the editor is allowed to use HTML. Is there a way to disable magic quotes off?

JAY6390
01-27-2010, 08:32 PM
put set_magic_quotes_runtime(false); at the top of your script

martynball
01-27-2010, 08:34 PM
its still doing it :(



//********************************//
// EDITING PAGE CONTENT SCRIPT //
//********************************//
//Edit page
$theData = "../includes/$pageTopic"."Content.txt";
$includeData = "TRUE";
if (isset($_POST['saveFile'])) {
set_magic_quotes_runtime(false);
// Filename
$myFile = "../includes/$pageTopic"."Content.txt";
$fh = fopen($myFile, 'w') or die("can't open file");
//Get form data
$stringData = $_POST['content'];
//Write to file and close
fwrite($fh, $stringData);
fclose($fh);
}
}
else {

MattF
01-27-2010, 09:14 PM
Use this in the base file, or at the VERY top of that script, just after the opening php tag.



if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
function strip_slashes($input)
{
if (!is_array($input))
{
return stripslashes($input);
}
else
{
return array_map('strip_slashes', $input);
}
}
$_GET = strip_slashes($_GET);
$_POST = strip_slashes($_POST);
$_COOKIE = strip_slashes($_COOKIE);
$_REQUEST = strip_slashes($_REQUEST);
}

martynball
01-27-2010, 09:18 PM
That has bogged up the rest of my code.



<?php
session_start();
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
$_GET = strip_slashes($_GET);
$_POST = strip_slashes($_POST);
$_COOKIE = strip_slashes($_COOKIE);
$_REQUEST = strip_slashes($_REQUEST);
}
if(isset($_SESSION['session']) && $_SESSION['permissions'] == "e"){
//user is logged-in, so do nothing
}
else {
//user needs to log in.
header ("location: ../scripts/php/login.php?mess=You do not have access to this area!");
}
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^//

//Additional information about what is being edited.
$pageTitle = "";
$pageTopic = $_GET['page'];
if ($_GET['editType'] == "page") {
$pageTitle = "<h1>Editing main page content!</h1>";
}
else {
$pageTitle = "<h1>Editing comment content!</h1>";
}

//Check page has been opened using link
if ($pageTopic != "" && $_GET['editType'] != "") {
if ($pageTitle == post) {
if ($_GET['pid'] != "") {
}
}
}
else {
header ("location: ../index.php");
}

if ($_GET['editType'] == "page") {

//********************************//
// EDITING PAGE CONTENT SCRIPT //
//********************************//
//Edit page
$theData = "../includes/$pageTopic"."Content.txt";
$includeData = "TRUE";
if (isset($_POST['saveFile'])) {
// Filename
$myFile = "../includes/$pageTopic"."Content.txt";
$fh = fopen($myFile, 'w') or die("can't open file");
//Get form data
$stringData = $_POST['content'];
//Write to file and close
fwrite($fh, $stringData);
fclose($fh);
$success = "<h4>Successfully updated page!</h4>";
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Page Editor</title>
<link rel="stylesheet" href="../css/mainsheet.css"/>
<script type="text/javascript" src="../scripts/js/hoverFix.js"></script>
</head>
<body>
<div class="container" style="padding:3em 0em;">
<?php echo "$pageTitle"; ?><br />
<span class="editorButton">AL</span>
<span class="editorButton">AM</span>
<span class="editorButton">AR</span>
<span class="editorButton">B</span>
<span class="editorButton">I</span>
<span class="editorButton">U</span>
<span class="editorButton">JS</span>
<span class="editorButton">JS</span>
<form method="post" name="editPage">
<textarea name="content" class="field" cols="120" rows="20"><?php echo "$theData"; ?></textarea><br />
<input type="submit" name="saveFile" value="Save File"><br />
<a href="../<?php echo "$pageTopic"; ?>.php">-Go Back-</a>
<br /><?php echo "$success"; ?>
</form>
</div>
</body>
</html>
<?php
}
else {

//********************************//
// EDITING POST CONTENT SCRIPT //
//********************************//
//Get Post ID
$pid = $_GET['postid'];
include "../scripts/php/db.connect.php";
$result = mysql_query("SELECT * from stokegta_posts WHERE postID='$pid'") or die ('Error: '.mysql_error());
$row = mysql_fetch_array($result);

//Variables
$postComment=$row['postComment'];
$srid = $_SESSION['session'];
$srid = explode(".", $srid);
$username = $srid[0];

if (!$row) {
echo "Error getting data for this post!";
}
if (isset($_POST['submitMessage']) {

}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Page Editor</title>
<link rel="stylesheet" href="../css/mainsheet.css"/>
<script type="text/javascript" src="../scripts/js/hoverFix.js"></script>
</head>
<body>
<div class="container" style="padding:3em 0em;">
<?php echo "$pageTitle"; ?><br />
<fieldset><legend>Edit Comment:</legend>
<form name="editComment" method="post">
<textarea class="field" cols="70" rows="10" name="message">
<?php echo "$postComment"; ?> - Comment edited by <?php echo $srid[0]; ?>
</textarea><br />
<input type="button" name="submitMessage" value="Edit Message">
</form>
</fieldset>
<a href="../<?php echo "$pageTopic"; ?>.php">-Go Back-</a>
<?php } ?>

MattF
01-27-2010, 09:20 PM
Check the update I made to my initial post. I forgot to include the function. :D

martynball
01-27-2010, 09:38 PM
Awesome, cheers. Works now :)

martynball
01-27-2010, 09:54 PM
Another question, how can I do this:


"INSERT INTO stokegta_posts (postComment) VALUES ('".$message."') WHERE postID='$pid'";


I am just getting errors the way I have done it.

MattF
01-27-2010, 10:56 PM
"INSERT INTO stokegta_posts (postComment) VALUES ('".mysql_real_escape_string($message)."') WHERE postID='$pid'";


I would suggest escaping all input to the DB on that page using the same method now. That's what magic_quotes was doing, essentially.

martynball
01-27-2010, 11:10 PM
I will do, but the command does not work...



You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE postID='21'' at line 1

MattF
01-27-2010, 11:28 PM
You do UPDATE on an existing entry and INSERT INTO to create a new entry. Which are you doing?

JAY6390
01-28-2010, 01:56 AM
You should use mysql_real_escape_string on all data you put in your sql queries



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum