Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New Coder
    Join Date
    Aug 2007
    Posts
    46
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Stripslashes or Htmlspecialchars??

    Greetings All,
    I wrote a script to update my news article. However, when I go to edit the title and news, if a ' exist, then the update fails. I know from previous work, that either slipslashes or htmlspecialchars should do the trick, I am just not sure which one, or where to put them.

    Would anyone be able to point me in the right direction of where I should include these statements... or if you have an alternative fix, please post.

    Keep in mind that I can update articles once the article Title or News body doesn't contain a ' inside of the content. Once a ' exist, then it crashes the script and nothing updates.

    Here is the script below:

    PHP Code:
    <script language="javascript" type="text/javascript" src="jscripts/tiny_mce/tiny_mce.js"></script>
    <script language="javascript" type="text/javascript">
        // Notice: The simple theme does not use all options some of them are limited to the advanced theme
        tinyMCE.init({
            mode : "textareas",
            theme : "simple"
        });
    </script>
    <?php
    //error_reporting(E_ALL);
    include ("../class/config.php");
    $today date("Y-m-d");

    $submit=$_REQUEST['submit'];
    $id=$_REQUEST['id'];
    $del=$_REQUEST['del'];
    $year=$_REQUEST['year'];
    $month=$_REQUEST['month'];
    $day=$_REQUEST['day'];

    if(isset(
    $submit))
    {
        
    $fulldate $year "-" $month "-" $date;

      if(
    $submit == 'Delete')
        {
            
    $sql "delete from news_saxon_saxon where NEWSID = '$id'";
        
            
    $result mysql_query($sql$db);

            if(
    $result)
            {
                echo(
    "The news article was deleted successfully.");
                echo(
    "<form action='news_admin_index.php?action=editnews' method='POST'><p>");
                echo(
    "<input type='submit' name='submit' value='OK' class=\"submit button\"></form)");
            }

        }

        else if(
    $submit == 'Update')
        {
            
    $news=$_POST['NEWS'];
            
    $title=$_POST['TITLE'];
            
    $postdate $year."-".$month."-".$day;
            
    $sql "update news_saxon_saxon set TITLE='$title',NEWS='$news', Date='$postdate' where NEWSID='$id'";

            
    $result mysql_query($sql$db);
            if(
    $result)
            {
                echo 
    "$sql";
                echo(
    "The news article was updated successfully.");
                echo(
    "<form action='news_admin_index.php?action=editnews' method='POST' onSubmit='fnsubmit()'>");
                echo(
    "<input type='submit' name='submit' value='OK' class=\"submit button\"></form)");
            }

        }
        
         

        else if ((
    $submit == 'Cancel') || ($submit == 'OK'))
        {     
    //header("Location:http://www.bviddm.com/control/nav_index.php?action=editstory"); 
            
    ?>
            <script language="Javascript" type="text/javascript"> 
            document.location.href='news_admin_index.php?action=editnews'
            </script>
           <?
        
    }
    }


    else
    {
        
        if(isset(
    $del))
        {
            
    $sql "select * from news_saxon_saxon where NEWSID = '$id'";
            
    $navset mysql_query($sql$db);
            
    $onenav mysql_fetch_object($navset);
            echo(
    "Are you sure you want to delete this news article ");
            echo(
    $onenav->NEWSID);
            echo(
    "?");
            echo(
    "<form action='news_admin_index.php?action=editnews' method='POST' onSubmit='fnsubmit()'>");
            echo(
    "<input type='hidden' name='id' value=" $onenav->NEWSID ">");
            echo(
    "<table><tr><td><input type='submit' name='submit' value='Delete' class=\"submit button\"></td><td><input type='submit' name='submit' value='Cancel' class=\"submit button\"></td></tr></table></form)");
        }
        else
        {
            if(isset(
    $id))
            {
        
    $sql "select * from news_saxon_saxon where NEWSID = '$id'";
        
    $postdate $year."-".$month."-".$day;
        
    $navset mysql_query($sql$db);
        
    $onenav mysql_fetch_object($navset);
        
    //list($year, $month, $day) = explode ("-", $row['DATE']);
        
    list($year$month$day) = explode ("-"date("Y-m-d"));
                
    ?>
        <form action= "news_admin_index.php?action=editnews" method="post">
        <input type='hidden' name='id' value=<?php echo($id); ?>>
        <table>
        <tr><td>Day:</td><td>
        <select name="day" id="day" value=<?php echo($day); ?>>
        <?php
        
    for ($i 1$i <= 31$i++)
        {
            if (
    $i == $day) echo "<option value=\"$i\" selected=\"selected\">$i</option>\n";
            else echo 
    "<option value=\"$i\">$i</option>\n";
        }
        
    ?>
        </select> 
        </td>
        </tr>
        <tr>
            <td>Month:</td><td> 
            <select name="month" id="month" value=<?php echo($month); ?>>
            <?php
                $monthList
    =array(
                
    => "January",
                
    => "February",
                
    => "March",
                
    => "April",
                
    => "May",
                
    => "June",
                
    => "July",
                
    => "August",
                
    => "September",
                
    10 => "October",
                
    11 => "November",
                
    12 => "December");
            
            foreach(
    $monthList as $code => $monthname)
            {
                if (
    $code == $month) echo "<option value=\"$code\" selected=\"selected\">$monthname</option>\n";
                else echo 
    "<option value=\"$code\">$monthname</option>\n";
            
            }
            
    ?>
            </select> 
            </td></tr>
            <tr>
            <td>Year:</td><td>
            <select name="year" id="year" value=<?php echo($year); ?>>
            <?php
            $this_year 
    date("Y");
            for (
    $i $this_year$i <= $this_year+10$i++)
            {
                if (
    $i == $year) echo "<option value=\"$i\" selected=\"selected\">$i</option>\n";
                else echo 
    "<option value=\"$i\">$i</option>\n";
            }
            
    ?>
            </select><?php $postdate $year."-".$month."-".$day;?></td>
            </tr>    <tr><td>Title</td><td><input type="text" name="TITLE" value=<?php echo($onenav->TITLE);?>></td></tr>
        <tr><td>News</td><td><textarea name="NEWS" id="NEWS"><?php echo($onenav->NEWS);?></textarea></td></tr>
        <tr><td colspan="2"><input type="submit" value="Update" name="submit" class="submit button"></td></tr>
        </table>
    </form>
    <?php
            
    }
        
            else 
            {
    ?>

    <table width="100%">
     <tr><th class='right_title'>Date</th><th class='right_title'>Title</th>
     <th colspan=2><center>Action</center></th></tr>

     <?php

    $navquery 
    "select * from news_saxon_saxon";

    $navresult mysql_query($navquery);
     while (
    $row mysql_fetch_object($navresult))
    {
        echo (
    "<tr>"."<td>".$row->DATE."</td>"."<td>".$row->TITLE."</td>");

    echo(
    "<td>"."<p align='center'>"."<a href='news_admin_index.php?action=editnews&id=$row->NEWSID'>"."<img src='..\images\button_edit.png' border='0' alt="."Edit".">"."</td>".
    "<td><p align='center'>"."<a href='news_admin_index.php?action=editnews&id=$row->NEWSID&del=$row->NEWSID'>"."<img src='..\images\button_drop.png' border='0' alt="."Delete"."></td></tr>");
     }
     
            }
     
    ?>
     
     
    </table>
    <?php

    }} ?>

  • #2
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,266
    Thanks
    6
    Thanked 48 Times in 48 Posts
    You want addslashes()

  • #3
    New Coder
    Join Date
    Aug 2007
    Posts
    46
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Nightfire View Post
    You want addslashes()

    Where would I add them, and what should I type? Can you give me an example using my code...

  • #4
    New Coder
    Join Date
    Aug 2007
    Location
    Wagga, Australia
    Posts
    59
    Thanks
    0
    Thanked 1 Time in 1 Post
    replace the $sql variable with the following
    PHP Code:
    $sql sprintf("update news_saxon_saxon set TITLE='%s',NEWS='%s', Date='$postdate' where NEWSID='$id'"
    mysql_real_escape_string($title),
    mysql_real_escape_string($news)
    ); 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •