View Full Version : Outputting HTML

01-05-2008, 03:45 AM
I have a form that I would like for people to be able to add HTML. But when I put in a link(<a href="www.yahoo.com">yahoo.com</a>) it outputs the whole string and not just the HTML.

What I would like to do is have it so the if someone inputs www.yahoo.com it will automatically make it a link.

So my two questions are how do I make it so that I can add HTML and how can I make it so that it automatically makes the URL a link.

Here is the code that I am using right now without the form.

$sql_query = "SELECT member_id from experts_post_answer WHERE forum_post_id={$_GET['id']} AND member_id={$_SESSION['member_id']}";
$sql=mysql_query($sql_query) or die(mysql_error());

echo 'you have already entered an answer for this question. Only one answer allowed.';
else {
echo $_POST['url'];
echo '<h2>Preview your answer</h2>';
echo '<table width="90%" border="0" cellspacing="5">

<td width="25%">Question</td>
<td bgcolor="fff883"><div style="margin-left:10px;margin-top:15px;margin-bottom:15px;"><strong>'.$_POST['heading'].'</strong></div><div style="position:relative;margin-left:25px;margin-top:15px;margin-bottom:15px;">'.$_POST['question'].'</div></td>

<td>You are:</td>
<td bgcolor="fff883"><div style="margin-left:10px;margin-top:15px;margin-bottom:15px;">'.$_SESSION['member_name'].'</div></td>
<td >Your answer:</td>
<td bgcolor="fff883"><div style="margin:10px;">'.$_POST['answer'].'</div></td>
<td ></td> <td>

<form action="/modify_question/modify" method="post">
<input name="heading" type="hidden" value="'.$_POST['heading'].'" />
<input name="question" type="hidden" value="'.$_POST['question'].'" />
<input name="answer" type="hidden" value="'.$_POST['answer'].'" />
<input name="url" type="hidden" value="'.$_POST['url'].'" />
<input name="submit" type="submit" value="Modify" /></form>

<form action="/answered/insert/'.$ncat_id.'/'.$f_id.'/'.$post_id1.'" method="post">'; ?>

<input name="heading" type="hidden" value="<?=$_POST['heading']?>" />
<input name="question" type="hidden" value="<?=$_POST['question']?>" />
<input name="answer" type="hidden" value="<?=$_POST['answer']?>" />
<input name="url" type="hidden" value="<?=$_POST['url']?>" />
<input name="submit" type="submit" value="Submit Question" /></form>



01-05-2008, 05:24 AM
I think what you're going to need to use is a regular expression.

Something like this...

$text = $_POST['answer']; //or whatever other variable you want
$text = preg_replace('=(\s|^)(((.*:)?.*@)?www\.[a-z0-9\-._~/&#37;&\?\=#;]+)(\s|$)=ie', '"$1<a href=\"http://$2\" target=\"_blank\">$2</a>$5"', $text);

On a side note, your query is extremely vunerable to SQL injection hacks. Something like...

http://localhost/index.php?id=1;drop table TABLE_NAME;SELECT * FROM TABLE_NAME WHERE 1

would drop / delete the table named "TABLE_NAME" from your database :eek:

Better to do something like this...

$id = preg_replace("/\D/","",$_GET['id']);

or some other filtering to make sure that it's valid data.