Page 1 of 1

Help htmlspecialchars is NOT working ??????????

Posted: Tue Oct 10, 2006 9:39 pm
by Tyronem
I am using PHP 5 on my XP Pro box with IIS installed and it seems that the htmlspecialchars function has stopped working. whenever data that previously inserted fine into my news table (with html charectors replaced with the standard ones) then when pulled out of the database it did as it was told and returned the data.

now it won't play ball. below is the code:

Data input form that posts to the news verify page:

Code: Select all

echo "
		<b><h2>Add a News Item to the home page</h2></b>
		<form action=\"add_news_verify.php\" method=\"post\">
		
			
		<b>News Title:</b><br> <input name=\"News_Title\" type=\"text\" size=\"30\"> <br><br>
		
		<b>News Teaser:</b><br> <input name=\"News_Teaser\" type=\"text\" size=\"30\" > <br><br>
		
		<b>News Content (do not include any ' or \" Ensure you encapsulate all text in an initial p tag and at the end
		a closing /p tag):</b><br> <textarea name=\"News_Content\" cols=\"90\" rows=\"10\" wrap=\"virtual\"></textarea> <br><br>		
		
		
		<input name=\"submit\" type=\"SUBMIT\" value=\"Add News\">
		
		</form>";
Now the code on the verify page that outputs the above data into the database for retreival later:

Code: Select all

<?php
		$News_Title = $_POST['News_Title'];
		$News_Teaser = $_POST['News_Teaser'];
		$News_Content = htmlspecialchars($_POST['News_Content']);
		
		$query = "INSERT INTO news (News_Title, News_Teaser, News_Content)
		VALUES
		('$News_Title', '$News_Teaser', '$News_Content')";
		
		
							
					$result = mysql_query($query);
										
										
					if (!$result)
					{
					$feedback = 'ERROR - database error - you probably didnt include all field values
					or there is something else wrong with your data';
					echo $feedback;
					} // output confirmation that the news is added to the system
					else
					{
						echo "News $News_Title added to the system";
					}
				
				
				
		?>
Nothing too fancy just a basic out put these to the database thanks and for some reason it just wont convert them to special chars.

I am also having another error where a page wont show any website addresses that are pulled from a database ie http://www.nzbn.co.nz (and that is just stored as text) then called into the page as in:

<a href="http://$website">$website</a>

very very weird, am waiting on the company who are sponsoring my final project to get their web space available for me to test it online. I have also replaced all of my php 5 files with fresh ones just in case this was a fault.

Thanks all

Posted: Tue Oct 10, 2006 9:55 pm
by nickvd
How exactly do you know that it's not working? can you post sample text from the database that should be converted?

Just to show what you should be expecting: <p> would turn into <p>

sure

Posted: Tue Oct 10, 2006 10:36 pm
by Tyronem
Ahh ok I see something here,

when htmlspecialchars output is put into the database it replaces the charactors correctly, but then when I pull the information out of the database and display it on a web page it displays the charactors of the code ie <p> etc, Is there some way to put these charactors back into html? (unlikely person would do sql injection on themselves but just for future use anyway :) )

Otherwise if I do not convert these charactors to htmlspecialcharactors then it displays the text correctly in the page formatted as per my html in the news.

Don't quite know why it worked first then stopped working but hey at least that part is figured out thanks :)

second problem not yet solved though something is blocking the dealers page from displaying the website addresses. here is one of the ones that wont display from the database:

12, 't', 'www.nzbn.co.nz', 't', 't', 't', 't', 't', 't', 't', 't', 't', 't', 't'

one that will display:

2, 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f', 'f'

Here is the code in the dealer display page:

Code: Select all

<?php
				
				$query = "SELECT * from dealer GROUP BY Area ORDER BY Company_Name";
				$result = mysql_query($query);
				
				while ($dealer_row = mysql_fetch_array($result))
				{	
					
					if ($dealer_row['Company_Name'] != "not a dealer")
					{
					$website = $dealer_row['Website_Address'];
										
					echo "<h2> $dealer_row[Company_Name] $dealer_row[Area]</h2>
					$dealer_row[Description] <br>
					<b>Phone:</b> $dealer_row[Land_Line] <b>Website:</b> <a href=\"http://$website\" target=\"blank\">$website</a>
					<b>E-Mail:</b> <a href=\"mailto:$dealer_row[E_Mail]?Subject=SoEasy Accounting Software Enquiry\">$dealer_row[E_Mail] </a>
					<br><b>Address:</b> $dealer_row[Trading_Address]";
					}
				}
				
				?>
There is something wrong with the sql code just found out by removing the order by and group by statements all dealers displayed correctly .

When not displaying correctly I just get the following:

f f
f
Phone: f Website: f E-Mail: f
Address: f
t t
t
Phone: t Website: t E-Mail: t
Address: t

When displaying correctly with extra parts of the sql statement removed I get:
f f
f
Phone: f Website: f E-Mail: f
Address: f
f f
f
Phone: f Website: http://www.nzbn.co.nz E-Mail: f
Address: f
f f
ff
Phone: f Website: http://www.nzbn.co.nz E-Mail: f
Address:
f f
ff
Phone: f Website: http://www.nzbn.co.nz E-Mail: f
Address:
f f
ff
Phone: f Website: http://www.nzbn.co.nz E-Mail: f
Address:
f f
ff
Phone: f Website: http://www.nzbn.co.nz E-Mail: f
Address:
t t
t
Phone: t Website: t E-Mail: t
Address: t
t t
t
Phone: t Website: t E-Mail: info@nzbn.co.nz
Address: t
adasdf t
t
Phone: t Website: blah.co.nz E-Mail: t
Address: t
t t
t
Phone: t Website: http://www.nzbn.co.nz E-Mail: t
Address: t
t t
t
Phone: t Website: http://www.nzbn.co.nz E-Mail: t
Address:

which is fine,

Weird one aye

Posted: Wed Oct 11, 2006 2:25 am
by nickvd
check the PHP manual on htmlspecialchars... you should find everything you need to know...