problems in creating a cms

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

problems in creating a cms

Post by m2babaey »

In the cms i'm going to create, users will submit articles. my problems will be here. thanks in advance for your answers
1. how can i skip html tags? I mean the users may post bad html and hurt my site instead of articles. how can i avoid it?
2. let me know if i'm correct about avoiding sql injections.
i should define a variable for each text input or text area, then run this function:
$variable = mysql_real_escape_string( $variable); for each. right?
3.since i'm on the first step in PHP, i think the url of the page containing the submited article is :
http://mydomain.com/formprocessor.php?t ... olearticle
that results in the following error:
Request-URI Too Large, if the article is too large. what is the solution?
4. When the users press enter to go to the next line, the line break does not appear. what can i do for it?
thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

  1. strip_tags() (or smarter equivalent), htmlspecialchars(), htmlentities() or HTML Purifier.
  2. mysql_real_escape_string() is performed just before insertion (updates, whatever.) Other functions that can be of use are intval(), floatval(), subst() among others. What you use depends greatly on the data expected.
josh_
Forum Newbie
Posts: 7
Joined: Sun May 20, 2007 6:37 am

Post by josh_ »

I don't know if I fully understand your questions...but here's my best answer. maybe someone else will be able to offer better advice...

1. I use htmlentities($variableName, ENT_QUOTES) to avoid harmful scripts and tags from being used. It seems to work for me but I don't know how easy it is to defeat. The tags will print as text when retrieved.
2. Might be able to use htmlentities for this, too?
3. Avoid passing form data in URLs. try using $_POST variables. The url can only be of a certain length. As far as I know, strings can be much larger (infinite??).
4. Not sure...why not have your users use a text editor and "upload" their article? Otherwise you may run into database cell sizes being exceeded if you try to store the text directly to a database.

Not sure if i have the best answers to your questions...but i've shared what I would do. hope it helps.
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

josh_ wrote:I don't know if I fully understand your questions...but here's my best answer. maybe someone else will be able to offer better advice...

1. I use htmlentities($variableName, ENT_QUOTES) to avoid harmful scripts and tags from being used. It seems to work for me but I don't know how easy it is to defeat. The tags will print as text when retrieved.
2. Might be able to use htmlentities for this, too?
3. Avoid passing form data in URLs. try using $_POST variables. The url can only be of a certain length. As far as I know, strings can be much larger (infinite??).
4. Not sure...why not have your users use a text editor and "upload" their article? Otherwise you may run into database cell sizes being exceeded if you try to store the text directly to a database.

Not sure if i have the best answers to your questions...but i've shared what I would do. hope it helps.
4. but let's consider a huge forum like DevNetwork. Isn't the post text directly stored in database?
3.then will the article be accessible from a url for other users to read it? i thought post is used only to email the form content :?:
1.should i replace the "ENT_QUOTES" with anything or not?
thiscatis
Forum Contributor
Posts: 434
Joined: Thu Jul 20, 2006 11:00 am

Post by thiscatis »

4. implement a small wysiwyg editor for the article body textarea. It gives a lot more functionality

3.use $_POST. convert them to variables and create a query to store them in database
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

thiscatis wrote:4. implement a small wysiwyg editor for the article body textarea. It gives a lot more functionality
couldn't understand. :?:
I need more explanation. :roll:
thanks. also thanks for 3.
josh_
Forum Newbie
Posts: 7
Joined: Sun May 20, 2007 6:37 am

Post by josh_ »

1. ENT_QUOTES is a paramter of the function htmlentities(). see http://www.php.net/manual/en/function.htmlentities.php

3. If you're looking to retrieve the stored article for viewing, I would pass the id of the article (in the url, perhaps). Then query the database to pull the title, subject, text, etc. based on that id.

4. Unless the phpBB code of this forum has been modified, the entries of this forum are stored on the database (see http://www.phpbb.com/ and download it for yourself to see how they do it.) It was just a suggestion that it may be more convenient for you and your users to use a third party editor. I suppose it depends on the size of the articles your expecting.

...just suggestions. I make no claims to be a php genius. :wink:
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

For question 4, I think his problem is that linebreaks users add in the textarea don't show up when displayed as HTML. The quick fix is nl2br(), although I challenge you to implement a more semantic solution with <p> tag.

If you use htmlspecialchars(), striptags() or htmlentities(), users won't be able to add any special formatting to your articles. HTML Purifier, however, will let you do that.
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

3. If you're looking to retrieve the stored article for viewing, I would pass the id of the article (in the url, perhaps). Then query the database to pull the title, subject, text, etc. based on that id.
That's a good idea.
I have created a table, named it articles and made a few fields in it. ( you see below)
Image
Now how can I retrieve the article?
For example the first article. I used the code below:

Code: Select all

<html><body>
<?php

mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("articles") or die(mysql_error());

$query="SELECT * FROM articles WHERE id='1'";
$result=mysql_query($query);

$article = mysql_fetch_array( $result );

include("main.php");
mysql_close();
?>
and main.php is :

Code: Select all

<html>

<body>
<table border=0>
<tr>
<td> <? include("includetop.php") ?> </td>
</tr> </table>

<table class=MsoTableGrid border=0 cellspacing=0 cellpadding=0 width="100%"
 style='width:100.0%;border-collapse:collapse;mso-yfti-tbllook:480;mso-padding-alt:
 0in 5.4pt 0in 5.4pt'>
 <tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes'>
  <td width=132 valign=top style='width:99.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal align=center style='text-align:center'><span lang=AR-SA
  dir=RTL>&#1670; <? include("includeleft.php") ?></span></p>

  </td>
  <td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal align=center style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
  auto;text-align:center'><o:p>&nbsp; [color=red]<?include("includecenter.php")?>[/color] </o:p></p>
  </td>
  <td width=159 valign=top style='width:119.25pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal align=center style='text-align:center'><span lang=AR-SA
  dir=RTL><u1:p>&#1585; <? include("includeright.php") ?></span></p>
  </td>
 </tr>
</table>



<? include("includedown.php") ?>
where includecenter.php is :

<?
echo ($article);
?>
josh_
Forum Newbie
Posts: 7
Joined: Sun May 20, 2007 6:37 am

Post by josh_ »

if this is to be used on more than one server, you may want to consider using "`" (tick) marks in your queries and avoid short tags (ie use "<?php" instead of "<?") since not all servers would respond to the code you have there. it's simple enough to implement on your first time through...but a pain to implement later on (i know first hand). you may also want to limit your query if you know you'll only have 1 article per id. your query would look something like:

Code: Select all

$query="SELECT * FROM `articles` WHERE `id`='1' LIMIT 1";
To get the article, you'll need to do something like this:

Code: Select all

$query="SELECT * FROM `articles` WHERE `id`='1'";
$result=mysql_query($query); 

if ($article = mysql_fetch_array( $result )){
    $title = $article['title'];
    $subj = $article['subject'];
}
now you'll have $title and $subj and whatever other variables you assign to play with. $article is just an array which contains those values.

for multiple articles (i.e. not limiting the search to 1 id), do this:

Code: Select all

if ($article = mysql_fetch_array( $result )){
    do{
        $title = $article['title'];
        $subj = $article['subject'];

        printf("<tr><td>%s</td></tr>\n", $title);
    } while ($article = mysql_fetch_array( $result ));
} else {
    die($error);
}
This will return each title in its own row.

also...just a thought...i'm not sure why you move in and out of php. i'd consider using the notation:

Code: Select all

printf("<td>%s</td>\n", $title);
and avoid toggling out of php.

hope that helps!
Post Reply