Help htmlspecialchars is NOT working ??????????

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Tyronem
Forum Newbie
Posts: 12
Joined: Thu Sep 14, 2006 5:11 pm

Help htmlspecialchars is NOT working ??????????

Post by Tyronem »

I am using PHP 5 on my XP Pro box with IIS installed and it seems that the htmlspecialchars function has stopped working. whenever data that previously inserted fine into my news table (with html charectors replaced with the standard ones) then when pulled out of the database it did as it was told and returned the data.

now it won't play ball. below is the code:

Data input form that posts to the news verify page:

Code: Select all

echo "
		<b><h2>Add a News Item to the home page</h2></b>
		<form action=\"add_news_verify.php\" method=\"post\">
		
			
		<b>News Title:</b><br> <input name=\"News_Title\" type=\"text\" size=\"30\"> <br><br>
		
		<b>News Teaser:</b><br> <input name=\"News_Teaser\" type=\"text\" size=\"30\" > <br><br>
		
		<b>News Content (do not include any ' or \" Ensure you encapsulate all text in an initial p tag and at the end
		a closing /p tag):</b><br> <textarea name=\"News_Content\" cols=\"90\" rows=\"10\" wrap=\"virtual\"></textarea> <br><br>		
		
		
		<input name=\"submit\" type=\"SUBMIT\" value=\"Add News\">
		
		</form>";
Now the code on the verify page that outputs the above data into the database for retreival later:

Code: Select all

<?php
		$News_Title = $_POST['News_Title'];
		$News_Teaser = $_POST['News_Teaser'];
		$News_Content = htmlspecialchars($_POST['News_Content']);
		
		$query = "INSERT INTO news (News_Title, News_Teaser, News_Content)
		VALUES
		('$News_Title', '$News_Teaser', '$News_Content')";
		
		
							
					$result = mysql_query($query);
										
										
					if (!$result)
					{
					$feedback = 'ERROR - database error - you probably didnt include all field values
					or there is something else wrong with your data';
					echo $feedback;
					} // output confirmation that the news is added to the system
					else
					{
						echo "News $News_Title added to the system";
					}
				
				
				
		?>
Nothing too fancy just a basic out put these to the database thanks and for some reason it just wont convert them to special chars.

I am also having another error where a page wont show any website addresses that are pulled from a database ie http://www.nzbn.co.nz (and that is just stored as text) then called into the page as in:

<a href="http://$website">$website</a>

very very weird, am waiting on the company who are sponsoring my final project to get their web space available for me to test it online. I have also replaced all of my php 5 files with fresh ones just in case this was a fault.

Thanks all
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

How exactly do you know that it's not working? can you post sample text from the database that should be converted?

Just to show what you should be expecting: <p> would turn into <p>
User avatar
Tyronem
Forum Newbie
Posts: 12
Joined: Thu Sep 14, 2006 5:11 pm

sure

Post by Tyronem »

Ahh ok I see something here,

when htmlspecialchars output is put into the database it replaces the charactors correctly, but then when I pull the information out of the database and display it on a web page it displays the charactors of the code ie <p> etc, Is there some way to put these charactors back into html? (unlikely person would do sql injection on themselves but just for future use anyway :) )

Otherwise if I do not convert these charactors to htmlspecialcharactors then it displays the text correctly in the page formatted as per my html in the news.

Don't quite know why it worked first then stopped working but hey at least that part is figured out thanks :)

second problem not yet solved though something is blocking the dealers page from displaying the website addresses. here is one of the ones that wont display from the database:

12, 't', 'www.nzbn.co.nz', 't', 't', 't', 't', 't', 't', 't', 't', 't', 't', 't'

one that will display:

2, 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f'

Here is the code in the dealer display page:

Code: Select all

<?php
				
				$query = "SELECT * from dealer GROUP BY Area ORDER BY Company_Name";
				$result = mysql_query($query);
				
				while ($dealer_row = mysql_fetch_array($result))
				{	
					
					if ($dealer_row['Company_Name'] != "not a dealer")
					{
					$website = $dealer_row['Website_Address'];
										
					echo "<h2> $dealer_row[Company_Name] $dealer_row[Area]</h2>
					$dealer_row[Description] <br>
					<b>Phone:</b> $dealer_row[Land_Line] <b>Website:</b> <a href=\"http://$website\" target=\"blank\">$website</a>
					<b>E-Mail:</b> <a href=\"mailto:$dealer_row[E_Mail]?Subject=SoEasy Accounting Software Enquiry\">$dealer_row[E_Mail] </a>
					<br><b>Address:</b> $dealer_row[Trading_Address]";
					}
				}
				
				?>
There is something wrong with the sql code just found out by removing the order by and group by statements all dealers displayed correctly .

When not displaying correctly I just get the following:

f f
f
Phone: f Website: f E-Mail: f
Address: f
t t
t
Phone: t Website: t E-Mail: t
Address: t

When displaying correctly with extra parts of the sql statement removed I get:
f f
f
Phone: f Website: f E-Mail: f
Address: f
f f
f
Phone: f Website: http://www.nzbn.co.nz E-Mail: f
Address: f
f f
ff
Phone: f Website: http://www.nzbn.co.nz E-Mail: f
Address:
f f
ff
Phone: f Website: http://www.nzbn.co.nz E-Mail: f
Address:
f f
ff
Phone: f Website: http://www.nzbn.co.nz E-Mail: f
Address:
f f
ff
Phone: f Website: http://www.nzbn.co.nz E-Mail: f
Address:
t t
t
Phone: t Website: t E-Mail: t
Address: t
t t
t
Phone: t Website: t E-Mail: info@nzbn.co.nz
Address: t
adasdf t
t
Phone: t Website: blah.co.nz E-Mail: t
Address: t
t t
t
Phone: t Website: http://www.nzbn.co.nz E-Mail: t
Address: t
t t
t
Phone: t Website: http://www.nzbn.co.nz E-Mail: t
Address:

which is fine,

Weird one aye
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

check the PHP manual on htmlspecialchars... you should find everything you need to know...
Post Reply