PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
chris98
Forum Contributor
Posts: 103 Joined: Tue Jun 11, 2013 10:47 am
Location: England, United Kingdom
Post
by chris98 » Thu Aug 29, 2013 8:11 am
Hello, I am using PDO to create a download central.
I want to allow my users to post html codes into their file description.(I.e. <br>, <img>.etc)
Every time I try, it outputs the exact same code, as if it is text.For example, I might enter:
Code: Select all
<p><br><strong>test</strong> <u>test2</u></p>
The result is exactly the same as I put!
Code: Select all
<p><br><strong>test</strong> <u>test2</u></p>
Why is this?
Why can't it just work?
What do I need to do to make it work?
Celauran
Moderator
Posts: 6427 Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada
Post
by Celauran » Thu Aug 29, 2013 8:13 am
Not much to work with here. Can you post some code?
chris98
Forum Contributor
Posts: 103 Joined: Tue Jun 11, 2013 10:47 am
Location: England, United Kingdom
Post
by chris98 » Thu Aug 29, 2013 9:18 am
Code: Select all
<?php
define('PUN_ROOT', dirname(__FILE__).'/../../');
include PUN_ROOT.'include/common.php';
define('PUN_ROOT', './');
if ($pun_user['is_guest'])
header("location: ../../../login.php");
require_once('general.php');
require_once('db/db_connection.php');
if (isset($_POST['submitBtn'])) {
$user_id = "".$pun_user['id']."";
$minimap_uploadLocation = "c:/wamp/www/stronghold2nation/downloads/files/minimaps/\\";
$uploadLocation = "c:/wamp/www/stronghold2nation/downloads/files/downloads/\\";
$format = (isset($_POST['format'])) ? htmlentities($_POST['format']) : '' ;
$name = (isset($_POST['name'])) ? htmlentities($_POST['name']) : '' ;
$username = "".($pun_user['username'])."";
$size = (isset($_POST['size'])) ? htmlentities($_POST['size']) : '' ;
$text = (isset($_POST['area1'])) ? htmlentities($_POST['area1']) : '' ;
$minimap = "". basename( $_FILES['upfile']['name'])."";
$file = "". basename( $_FILES['ufile']['name'])."";
$email = (isset($_POST['email'])) ? htmlentities($_POST['email']) : '' ;
$date = "".date("d/m/Y")."";
$category = (isset($_POST['data_name'])) ? htmlentities($_POST['data_name']) : '' ;
if (($_FILES["file"]["size"] > 262144000)) // Max File Size: 250MB
{
exit ('Your file size is too big.Please try again.');
}
$allowed[] = 'gif';
$allowed[] = 'bmp';
$allowed[] = 'jpg';
$allowed[] = 'jpeg';
$allowed[] = 'png';
$allowed[] = '';
$filename = basename( $_FILES['upfile']['name']);
$ext = substr($filename, strrpos($filename, '.')+1 , 3);
$ext = strtolower($ext);
if (!in_array($ext, $allowed)) {
exit('This type of file extension is not allowed.Please upload a valid preview image.');
}
$allowed1[] = 'zip';
$filename_2 = basename( $_FILES['ufile']['name']);
$ext1 = substr($filename_2, strrpos($filename_2, '.')+1 , 3);
$ext1 = strtolower($ext1);
if (!in_array($ext1, $allowed1)) {
exit('This type of file extension is not allowed.Please upload a zip file.');
}
$filename_check2 = "../files/minimaps/".$minimap."";
if (!empty($minimap)) {
if (file_exists($filename_check2)) {
exit ('The preview image you are uploading already exists.Please specify a different name, then try again.');
};
}
$target_path = $minimap_uploadLocation . basename( $_FILES['upfile']['name']);
if(move_uploaded_file($_FILES['upfile']['tmp_name'], $target_path)) {
};
$filename_check = "../files/downloads/".$file."";
if (file_exists($filename_check)) {
exit ('The zip file you are uploading already exists.Please specify a different name, and try again.');
};
$target_path1 = $uploadLocation . basename( $_FILES['ufile']['name']);
if(!move_uploaded_file($_FILES['ufile']['tmp_name'], $target_path1)) {
exit ('There was an error uploading the file.Please try again.');
}
//Minimum name and comment length.
if ((strlen($name) > 2) && (strlen($text) > 5)){
$sql = "INSERT INTO downloads_unchecked (name,username,userid,size,text,minimap,date,file,category,email) VALUES (
:name,:username,:userid,:size,:text,:minimap,:date,:file,:category,:email)";
$ps = $pdo->prepare($sql);
$ps->execute(array(':name'=>$name,
':username'=>$username,
':userid'=>$user_id,
':size'=>$size,
':text'=>$text,
':minimap'=>$minimap,
':date'=>$date,
':file'=>$file,
':category'=>$category,
':email'=>$email));
}
header("Location: thank_you.php");
}
else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<script type="text/javascript" src="http://js.nicedit.com/nicEdit-latest.js"></script>
<script type="text/javascript">
//<![CDATA[
bkLib.onDomLoaded(function() { nicEditors.allTextAreas() });
//]]>
</script>
<html>
<head>
<font color="#610B0B">
<title>Add a file to Stronghold 2 Nation</title>
<link href="style/style.css" rel="stylesheet" type="text/css" />
<link href="style/button.css" rel="stylesheet" type="text/css" />
<link rel="stylesheet" type="text/css" href="../style.css" />
<link rel="stylesheet" type="text/css" href="style/style2.css" />
</head>
<body>
<div id="page">
<div id="pagetop">
<h1>Submit a File to Stronghold 2 Nation (page 2 of 2)</h1>
<div class="links">
<ul>
</ul>
</div>
</div>
<div id="main">
<div id="formheader">Add your file to Stronghold 2 Nation!<br><br>Required Fields are marked with an Asterisk (*) </div>
<div id="formbody">
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="fileform" id="fileform" enctype="multipart/form-data">
<table align="center">
<tr><th>Category: *</th><td><select name="data_name">
<option value="">--Please Select Your Category--</option>
<option value="Peace Custom">Peace Custom</option>
<option value="Free Build">Free Build</option>
<option value="Kingmaker">Kingmaker</option>
<option value="Custom War">Custom War</option>
<option value="Miscellaneous">Miscellaneous</option>
</select><br></td></tr>
<input type="hidden" name="MAX_FILE_SIZE" value="262144000" />
<tr><th>File Name: *</th><td><input name="name" type="text" size="42" maxlength="25" /></td></tr>
<tr><th>File Size:*</th><td><input name="size" type="numerical" size="4" maxlength="10" /><input name="MB" id="MB" disabled value="MB" size="1" />(Megabytes)<br><a href="size.htm" target="_blank">Click here to learn how to work out the size of your File</a></td></tr>
<tr><th>Full Description of your File:*</th><td><textarea name="area1" cols="42" rows="15" class="textarea"></textarea>This field may <b>not</b> contain html</td></tr>
<tr><th><b>Preview Image</b>:<br></th><td><input class="text" name="upfile" type="file" size="36"><br></td></tr>
<tr><th>File:*<br></th><td><input class="text" name="ufile" type="file" id="ufile" size="36"><br></td></tr>
<tr><th>Email:</th><td><input name="email" type="text" size="42" /></td></tr>
<tr><th colspan="2" align="center"><br/><input class="text" type="submit" name="submitBtn" value="Continue" class="text"/><br><br>Your preview image must be less than 40KB, and must be either a PNG, JPEG or GIF image.It will also automatically get sized to 200x200 pixels.</th></tr>
</table>
</form>
</div>
<div id="source"></div>
</div>
</body>
<?php } ?>
(This is the full code.)
AbraCadaver
DevNet Master
Posts: 2572 Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:
Post
by AbraCadaver » Thu Aug 29, 2013 9:29 am
htmlentities() You are transforming the HTML into the entities so that the browser will display the actual characters. Don't htmlentities() before inseting. Use htmlentities() before display if you don't want it treated as HTML.
mysql_function(): WARNING : This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Celauran
Moderator
Posts: 6427 Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada
Post
by Celauran » Thu Aug 29, 2013 9:39 am
You're using htmlentities() on the strings before saving them to the database, so you need html_entity_decode() before displaying them.
chris98
Forum Contributor
Posts: 103 Joined: Tue Jun 11, 2013 10:47 am
Location: England, United Kingdom
Post
by chris98 » Thu Aug 29, 2013 9:43 am
Thank you.That's all it was.I now, however have discovered a problem with the delete code.Could you tell me what I have done wrong here?
Every time I try to delete things, the zip file and preview image will go, but the data in the database stays.I also get no errors at all,and am using the advanced connection which normally displays them.
Code: Select all
<?php
require_once('../submit/db/db_connection.php');
$id = $_GET["id"];
$category = $_GET["category"];
$name = $_GET["file_name"];
$name_image = $_GET["preview"];
$file = $_GET["file"];
$name_input = (isset($_POST['name'])) ? htmlentities($_POST['name']) : '' ;
$name_2 = (isset($_POST['file_name2'])) ? htmlentities($_POST['file_name2']) : '' ;
$name_3 = (isset($_POST['file_name3'])) ? htmlentities($_POST['file_name3']) : '' ;
if (isset($_POST['submitBtn'])) {
$id = $_GET["id"];
$category = $_GET["category"];
$name = $_GET["file_name"];
$name_image = $_GET["preview"];
$name_input = (isset($_POST['name'])) ? htmlentities($_POST['name']) : '' ;
$name_2 = (isset($_POST['file_name2'])) ? htmlentities($_POST['file_name2']) : '' ;
$name_3 = (isset($_POST['image_name'])) ? htmlentities($_POST['image_name']) : '' ;
$file_name = (isset($_POST['file_name'])) ? htmlentities($_POST['file_name']) : '' ;
$sql = "DELETE FROM downloads_unchecked WHERE id = :file";
$ps = $pdo->prepare($sql);
$ps->bindParam(':file', $id, PDO::PARAM_INT);
$ps->execute();
array_map('unlink', glob("../files/files/".$file_name.""));
array_map('unlink', glob("../files/minimaps/".$name_3.""));
$actpath = isset($_POST['path']) ? $_POST['path'] : '../files/files';
$actpath = isset($_GET['path']) ? $_GET['path'] : '../files/files';
header("Location: redirect.php");
}
else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Delete an Upload</title>
<link href="style/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="main">
<input type="hidden" name="file_name2" value="<?php echo $name ?>" />
<input type="hidden" name="file_name3" value="<?php echo $name_image ?>" />
<div id="formheader">WARNING! This will delete all traces of this file ever being on our system.</div>
<div id="formbody">The File Name is displayed below:
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="gbook" id="gbook">
<input type="hidden" class="text" name="file_name" type="text" size="36" value="<?php echo "".$file.""; ?>">
<input type="hidden" class="text" name="image_name" type="text" size="36" value="<?php echo "".$name_image.""; ?>">
<input type="hidden" name="name" type="numerical" size="20" maxlength="50" value="<?php echo "".$id.""; ?>"/>
<table align="center">
<tr><th>Are you sure?</th><td><input class="text" type="submit" name="submitBtn" value="Delete" /></td></tr>
<tr><td colspan="2" align="center"><br/><br>
<?php echo "".$name.""; ?></td></tr>
</table>
</form>
</div>
<div id="source"></div>
</div>
</body>
<?php } ?>
Celauran
Moderator
Posts: 6427 Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada
Post
by Celauran » Thu Aug 29, 2013 9:54 am
There's nothing wrong with the query itself. You aren't checking that $_GET['id'] actually contains a value, though.
chris98
Forum Contributor
Posts: 103 Joined: Tue Jun 11, 2013 10:47 am
Location: England, United Kingdom
Post
by chris98 » Thu Aug 29, 2013 9:57 am
I have managed to echo it, but nothing else.
AbraCadaver
DevNet Master
Posts: 2572 Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:
Post
by AbraCadaver » Thu Aug 29, 2013 9:57 am
Make sure you have error reporting on and comment out the header redirect so you'll actually be on the page that might show an error.
mysql_function(): WARNING : This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
chris98
Forum Contributor
Posts: 103 Joined: Tue Jun 11, 2013 10:47 am
Location: England, United Kingdom
Post
by chris98 » Thu Aug 29, 2013 10:02 am
There is still no error.It did definitely work when I used normal mysql, so I don't know what has gone wrong.
Celauran
Moderator
Posts: 6427 Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada
Post
by Celauran » Thu Aug 29, 2013 10:46 am
You're submitting to a page with no GET parameters. The form action is $_SERVER['PHP_SELF'], not $_SERVER['PHP_SELF'] . '?id=' . $id etc. Once the form has been submitted, the $_GET array is empty.
chris98
Forum Contributor
Posts: 103 Joined: Tue Jun 11, 2013 10:47 am
Location: England, United Kingdom
Post
by chris98 » Thu Aug 29, 2013 10:51 am
No, the sort of thing I would be linking with would be:
Code: Select all
delete.php?id=3&category=Custom War&file_name=ydyrytrytrytryty&preview=army medic.jpg&file=ancient_756.zip
Celauran
Moderator
Posts: 6427 Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada
Post
by Celauran » Thu Aug 29, 2013 10:54 am
To arrive at that page, sure. Look at the form action, though.
Code: Select all
if (isset($_POST['submitBtn'])) {
var_dump($_GET);
}
chris98
Forum Contributor
Posts: 103 Joined: Tue Jun 11, 2013 10:47 am
Location: England, United Kingdom
Post
by chris98 » Fri Aug 30, 2013 9:33 am
So, in other words, I would need an <input>,to store the
information, then transfer that to a different variable for the delete statement?
Celauran
Moderator
Posts: 6427 Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada
Post
by Celauran » Fri Aug 30, 2013 9:55 am
You already have one.
Code: Select all
<input type="hidden" name="name" type="numerical" size="20" maxlength="50" value="<?php echo "".$id.""; ?>"/>