Page 1 of 1

Getting HTMLEntities to work...

Posted: Sat Nov 11, 2006 2:48 pm
by Trenchant
I can't seem to get htmlspecialchars or HTML_entities working...

I have a feeling its something really dumb I overlooked. Can anyone see my mistake?

Code: Select all

// Unfinished filter function.
function filter($input, $type) {
	// First clear the input of any HTML entities
	$input = htmlspecialchars($input, ENT_QUOTES);
	echo $input;
	
	// Separate possible other "types"
	$type = explode("-", $type);
	
	// Now that the input is cleared as safe check it for content.
	
	// Is the input an integer?
	if ($type[0] == 'integer') {
		// The number MUST be a number.
		
		// Check it	
		if($input == '0' || is_int($input) == true) {
			// The number is either 0 or another integer.  Its cleared.
			return $input;
		}
	} elseif ($type[0] == 'text') {
		// Check if the input is text.
		
		// Keep any \n's that could have been previously made.
		$input = str_replace("\n", "\n<br />\n", $input);
		
		return $input;
	}		
}
This will simply return the original string unaltered. Even if it has quotes in it.

Posted: Sat Nov 11, 2006 3:10 pm
by John Cartwright
try viewing the page source

In firefox, View -> Page Source
In explorer, View -> Source

What is the output?

Posted: Sat Nov 11, 2006 3:16 pm
by Trenchant
It displays it in a broken down form then but the only problem is when I try to insert that into a mysql database it still comes up with errors from quotes.

Posted: Sat Nov 11, 2006 3:45 pm
by aaronhall
Let's have a look at your insert query

Posted: Sat Nov 11, 2006 4:00 pm
by Trenchant

Code: Select all

// clean the input.
$comp['to'] = filter($_POST['input_e_to'], 'text');
$comp['from'] = $player_id;
$comp['message'] = filter($_POST['input_e_message'], 'text');
$comp['subject'] = filter($_POST['input_e_subject'], 'text');
$comp['date'] = $date;
$comp['from_ip'] = $ip;
			
// Connect to the database and clear all information.
$system->db_connect();
$comp['to'] = mysql_real_escape_string($comp['to']);
$comp['subject'] = mysql_real_escape_string($comp['subject']);
$comp['message'] = mysql_real_escape_string($comp['message']);


// The email is good so send it.
$sql = mysql_query("INSERT INTO `users_emails` (recipient, sender, folder, subject, message, replyto, sender_ip, date) VALUES ('$comp[to_id]', '$comp[from]', '$comp[to_folder]', '$comp[subject]', '$comp[message]', '$comp[from]', '$comp[from_ip]', '$comp[date]')") or die(mysql_error());
Thats basically it there.

Posted: Sat Nov 11, 2006 4:11 pm
by aaronhall
I think it may be complaining about the quotes around the table name. Try losing those and see if it works.

EDIT: actually, probably not. What does MySQL say when you run the query?

Posted: Sat Nov 11, 2006 4:19 pm
by John Cartwright
Also can you tell us the result of

Code: Select all

echo "INSERT INTO `users_emails` (recipient, sender, folder, subject, message, replyto, sender_ip, date) VALUES ('$comp[to_id]', '$comp[from]', '$comp[to_folder]', '$comp[subject]', '$comp[message]', '$comp[from]', '$comp[from_ip]', '$comp[date]')";
Start quoting your array indices aswell, $comp[from] might produce an indefined constant notice, and/or result in unexpected results

Posted: Sun Nov 12, 2006 9:48 am
by Trenchant
For some reason it randomly started working...

I think it may have been because one of my columns was named "read".

After I switched it to read I just fiddled a little more and it started working. I checked the mysql database and the html is in an encoded form.

Thanks for the help.