Hi everyone, I was wondering if you could help me out with something. I'm trying to write an online management console for my site (http://www.themattcave.org/) that will allow me to edit files directly on the server after logging in. So far I've written code to open file and display in <textarea>, at this point I noticed opening files with a </textarea> tag in them would cause the page to terminate the <textarea> tag prematurely, so I ended up using htmlentities() to clean up the contents of the file before displaying. Now this so far has worked fine for editing just HTML files. The problem lies in editing PHP files. The htmlentities() function seems to eat things like this:
echo "<form action=\"" . $_SERVER['REQUEST_URI'] . "\" name=\"ContentForm\" method=\"post\">";
In the <textarea> it shows up as
echo "<form action="" . $_SERVER['REQUEST_URI'] . "" name="ContentForm" method="post">";
And if I save the edits, little changes like that obviously make PHP unhappy and it breaks the page. Any suggestions?
Have I provided enough information?
Thanks in advance,
Matt
Displaying PHP code
Moderator: General Moderators
The code is below, this page is dual purpose, depending on which (if any) mode value is passed to it via GET, it will either edit content data in a MySQL DB, or edit the files in the local directory.
Thanks for the help.
Thanks for the help.
Code: Select all
<script language="JavaScript">
function LoadNew()
{
document.ContentForm.content.value = "";
document.ContentForm.submit();
}
</script>
<?php
include('header.php');
$user = "root";
$password = "";
$database = "themattcave";
mysql_connect(localhost,$user,$password);
mysql_select_db($database) or die('Unable to select database');
$pagesel = $_POST['pagesel'];
$content_raw = $_POST['content'];
$mode = $_GET['mode'];
$content_clean = stripslashes($content_raw);
switch($mode)
{
case 0:
$type = "Content";
break;
case 1:
$type = "File";
break;
}
if($pagesel == '')
{
if($mode == 0) // Content editor
$pagesel = "home";
if($mode == 1) // Raw file editor
$pagesel = "index.php";
}
if($content_clean != '')
{
if($mode == 0)
{
$query = "UPDATE basic SET content = '$content_raw' WHERE name = '". $pagesel . "'";
$result = mysql_query($query);
echo "Database content entry updated.";
}
else if($mode == 1)
{
echo "Saving to: $pagesel <br>";
$handle = fopen($pagesel,'w');
fwrite($handle,$content_raw);
fclose($handle);
echo "File saved successfully.";
}
}
print '
<h2 class="title center">' . $type . ' Editor </h2>
';
echo "
<form action=\"" . $_SERVER['REQUEST_URI'] . "\" name=\"ContentForm\" method=\"post\">
<select name=\"pagesel\" OnChange=\"LoadNew();\">";
if($mode == 0)
{
$query = "SELECT * FROM `basic` WHERE `name` = '". $pagesel . "'";
$result = mysql_query($query);
$content = mysql_result($result, 0, "content");
$query = "SELECT * FROM `basic` WHERE 1";
$result = mysql_query($query);
$num = mysql_numrows($result);
}
else if($mode == 1)
{
$content = stripslashes(file_get_contents($pagesel));
$num = (sizeof(scandir(dirname($_SERVER['SCRIPT_FILENAME']))) - 2);
$d = dir(dirname($_SERVER['SCRIPT_FILENAME']));
}
$i = 0;
while($i < $num)
{
if($mode == 0)
{
$name = mysql_result($result,$i,"name");
}
else if($mode == 1)
{
$name = ".";
while(substr($name, 0, 1) == ".")
{
$name = $d->read();
}
}
echo "<option value=\"$name\" ";
if($name == $pagesel)
{
echo "selected=\"1\"";
}
echo ">$name</option>";
$i++;
}
$printablehtml = htmlspecialchars($content, ENT_NOQUOTES);
print "
</select><br>
<textarea cols=\"96\" rows=\"30\" name=\"content\">
$printablehtml
</textarea>
<br>
The number of rows returned was: $num<br>
<input type=\"submit\" value=\"Save\">
<input type=\"button\" value=\"Discard\" OnClick=\"LoadNew()\">
</form>
";
mysql_close();
?>- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
You're running stripslashes() on $content.