problems in creating a cms
Moderator: General Moderators
problems in creating a cms
In the cms i'm going to create, users will submit articles. my problems will be here. thanks in advance for your answers
1. how can i skip html tags? I mean the users may post bad html and hurt my site instead of articles. how can i avoid it?
2. let me know if i'm correct about avoiding sql injections.
i should define a variable for each text input or text area, then run this function:
$variable = mysql_real_escape_string( $variable); for each. right?
3.since i'm on the first step in PHP, i think the url of the page containing the submited article is :
http://mydomain.com/formprocessor.php?t ... olearticle
that results in the following error:
Request-URI Too Large, if the article is too large. what is the solution?
4. When the users press enter to go to the next line, the line break does not appear. what can i do for it?
thanks
1. how can i skip html tags? I mean the users may post bad html and hurt my site instead of articles. how can i avoid it?
2. let me know if i'm correct about avoiding sql injections.
i should define a variable for each text input or text area, then run this function:
$variable = mysql_real_escape_string( $variable); for each. right?
3.since i'm on the first step in PHP, i think the url of the page containing the submited article is :
http://mydomain.com/formprocessor.php?t ... olearticle
that results in the following error:
Request-URI Too Large, if the article is too large. what is the solution?
4. When the users press enter to go to the next line, the line break does not appear. what can i do for it?
thanks
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
- strip_tags() (or smarter equivalent), htmlspecialchars(), htmlentities() or HTML Purifier.
- mysql_real_escape_string() is performed just before insertion (updates, whatever.) Other functions that can be of use are intval(), floatval(), subst() among others. What you use depends greatly on the data expected.
I don't know if I fully understand your questions...but here's my best answer. maybe someone else will be able to offer better advice...
1. I use htmlentities($variableName, ENT_QUOTES) to avoid harmful scripts and tags from being used. It seems to work for me but I don't know how easy it is to defeat. The tags will print as text when retrieved.
2. Might be able to use htmlentities for this, too?
3. Avoid passing form data in URLs. try using $_POST variables. The url can only be of a certain length. As far as I know, strings can be much larger (infinite??).
4. Not sure...why not have your users use a text editor and "upload" their article? Otherwise you may run into database cell sizes being exceeded if you try to store the text directly to a database.
Not sure if i have the best answers to your questions...but i've shared what I would do. hope it helps.
1. I use htmlentities($variableName, ENT_QUOTES) to avoid harmful scripts and tags from being used. It seems to work for me but I don't know how easy it is to defeat. The tags will print as text when retrieved.
2. Might be able to use htmlentities for this, too?
3. Avoid passing form data in URLs. try using $_POST variables. The url can only be of a certain length. As far as I know, strings can be much larger (infinite??).
4. Not sure...why not have your users use a text editor and "upload" their article? Otherwise you may run into database cell sizes being exceeded if you try to store the text directly to a database.
Not sure if i have the best answers to your questions...but i've shared what I would do. hope it helps.
4. but let's consider a huge forum like DevNetwork. Isn't the post text directly stored in database?josh_ wrote:I don't know if I fully understand your questions...but here's my best answer. maybe someone else will be able to offer better advice...
1. I use htmlentities($variableName, ENT_QUOTES) to avoid harmful scripts and tags from being used. It seems to work for me but I don't know how easy it is to defeat. The tags will print as text when retrieved.
2. Might be able to use htmlentities for this, too?
3. Avoid passing form data in URLs. try using $_POST variables. The url can only be of a certain length. As far as I know, strings can be much larger (infinite??).
4. Not sure...why not have your users use a text editor and "upload" their article? Otherwise you may run into database cell sizes being exceeded if you try to store the text directly to a database.
Not sure if i have the best answers to your questions...but i've shared what I would do. hope it helps.
3.then will the article be accessible from a url for other users to read it? i thought post is used only to email the form content
1.should i replace the "ENT_QUOTES" with anything or not?
1. ENT_QUOTES is a paramter of the function htmlentities(). see http://www.php.net/manual/en/function.htmlentities.php
3. If you're looking to retrieve the stored article for viewing, I would pass the id of the article (in the url, perhaps). Then query the database to pull the title, subject, text, etc. based on that id.
4. Unless the phpBB code of this forum has been modified, the entries of this forum are stored on the database (see http://www.phpbb.com/ and download it for yourself to see how they do it.) It was just a suggestion that it may be more convenient for you and your users to use a third party editor. I suppose it depends on the size of the articles your expecting.
...just suggestions. I make no claims to be a php genius.
3. If you're looking to retrieve the stored article for viewing, I would pass the id of the article (in the url, perhaps). Then query the database to pull the title, subject, text, etc. based on that id.
4. Unless the phpBB code of this forum has been modified, the entries of this forum are stored on the database (see http://www.phpbb.com/ and download it for yourself to see how they do it.) It was just a suggestion that it may be more convenient for you and your users to use a third party editor. I suppose it depends on the size of the articles your expecting.
...just suggestions. I make no claims to be a php genius.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
For question 4, I think his problem is that linebreaks users add in the textarea don't show up when displayed as HTML. The quick fix is nl2br(), although I challenge you to implement a more semantic solution with <p> tag.
If you use htmlspecialchars(), striptags() or htmlentities(), users won't be able to add any special formatting to your articles. HTML Purifier, however, will let you do that.
If you use htmlspecialchars(), striptags() or htmlentities(), users won't be able to add any special formatting to your articles. HTML Purifier, however, will let you do that.
That's a good idea.3. If you're looking to retrieve the stored article for viewing, I would pass the id of the article (in the url, perhaps). Then query the database to pull the title, subject, text, etc. based on that id.
I have created a table, named it articles and made a few fields in it. ( you see below)

Now how can I retrieve the article?
For example the first article. I used the code below:
Code: Select all
<html><body>
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("articles") or die(mysql_error());
$query="SELECT * FROM articles WHERE id='1'";
$result=mysql_query($query);
$article = mysql_fetch_array( $result );
include("main.php");
mysql_close();
?>Code: Select all
<html>
<body>
<table border=0>
<tr>
<td> <? include("includetop.php") ?> </td>
</tr> </table>
<table class=MsoTableGrid border=0 cellspacing=0 cellpadding=0 width="100%"
style='width:100.0%;border-collapse:collapse;mso-yfti-tbllook:480;mso-padding-alt:
0in 5.4pt 0in 5.4pt'>
<tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes'>
<td width=132 valign=top style='width:99.0pt;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal align=center style='text-align:center'><span lang=AR-SA
dir=RTL>چ <? include("includeleft.php") ?></span></p>
</td>
<td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal align=center style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto;text-align:center'><o:p> [color=red]<?include("includecenter.php")?>[/color] </o:p></p>
</td>
<td width=159 valign=top style='width:119.25pt;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal align=center style='text-align:center'><span lang=AR-SA
dir=RTL><u1:p>ر <? include("includeright.php") ?></span></p>
</td>
</tr>
</table>
<? include("includedown.php") ?><?
echo ($article);
?>
if this is to be used on more than one server, you may want to consider using "`" (tick) marks in your queries and avoid short tags (ie use "<?php" instead of "<?") since not all servers would respond to the code you have there. it's simple enough to implement on your first time through...but a pain to implement later on (i know first hand). you may also want to limit your query if you know you'll only have 1 article per id. your query would look something like:
To get the article, you'll need to do something like this:
now you'll have $title and $subj and whatever other variables you assign to play with. $article is just an array which contains those values.
for multiple articles (i.e. not limiting the search to 1 id), do this:
This will return each title in its own row.
also...just a thought...i'm not sure why you move in and out of php. i'd consider using the notation:
and avoid toggling out of php.
hope that helps!
Code: Select all
$query="SELECT * FROM `articles` WHERE `id`='1' LIMIT 1";Code: Select all
$query="SELECT * FROM `articles` WHERE `id`='1'";
$result=mysql_query($query);
if ($article = mysql_fetch_array( $result )){
$title = $article['title'];
$subj = $article['subject'];
}for multiple articles (i.e. not limiting the search to 1 id), do this:
Code: Select all
if ($article = mysql_fetch_array( $result )){
do{
$title = $article['title'];
$subj = $article['subject'];
printf("<tr><td>%s</td></tr>\n", $title);
} while ($article = mysql_fetch_array( $result ));
} else {
die($error);
}also...just a thought...i'm not sure why you move in and out of php. i'd consider using the notation:
Code: Select all
printf("<td>%s</td>\n", $title);hope that helps!