Forum not showing HTML from mysql

Question

I have another problem with this forum. Everything is working good, just not posting HTML.

When I post threads without any html it shows on the thread view, but if I post stuff with html, bold etc it won't show at all.

Heres the post file

<?php

include "connect.php"; //connection string

if(isset($_POST['submit']))

{

   $name=$_POST['name'];

   $yourpost=$_POST['yourpost'];

   $subject=$_POST['subject'];

   if(strlen($name)<1)

   {

      print "You did not type in a name."; //no name entered

   }

   else if(strlen($yourpost)<1)

   {

      print "You did not type in a post."; //no post entered

   }

   else if(strlen($subject)<1)

   {

      print "You did not enter a subject."; //no subject entered

   }

   else

   {

      $thedate=date("U"); //get unix timestamp

      $displaytime=date("F j, Y, g:i a");

      //we now strip HTML injections

      $subject=strip_tags($subject);

      $name=strip_tags($name);

      $yourpost=strip_tags($yourpost); 

      $insertpost="INSERT INTO forumtutorial_posts(author,title,post,showtime,realtime,lastposter) values('$name','$subject','$yourpost','$displaytime','$thedate','$name')";

      mysql_query($insertpost) or die("Could not insert post"); //insert post

      print "Message posted, go back to <A href='index.php'>Forum</a>.";

   }



}

else

{

   print "<form action='post.php' method='post'>";

   print '<input type="hidden" name="name" value="' . $_SESSION[usr_name] . '" size="20"><br>';

   print "Topic title:<br>";

   print "<input type='text' name='subject' size='20'><br>";

   print "Your message:<br>";

   print "<textarea name='yourpost' rows='5' cols='40' id='new_thread'></textarea><br>";

   print "<input type='submit' name='submit' value='submit'></form>";



}

?>
<script language="JavaScript">
  generate_wysiwyg('new_thread');
</script>

And here is the thread view

<?php 

include "connect.php"; //mysql db connection here

$id=$_GET['id'];

$gettopic="SELECT * from forumtutorial_posts where postid='$id'";

$gettopic2=mysql_query($gettopic) or die("Could not get topic");

$gettopic3=mysql_fetch_array($gettopic2);

print "<div id='left'>";

print "<div id='navi-body'>";

print "<a href='index.php'>Back to main forum</a> <a href='post.php'>New Topic</a> <A href='reply.php?id=$id'>Reply</a>";

print "</div>";

print "<div class='content'>";

print "<div class='content-header yellow'>$gettopic3[title]</div>";

print "<div class='content-mid'>";

$message=strip_tags($gettopic3['post']);

$message=nl2br($message);

print "$message";

print "<br /><br />";

print "Posted by: $gettopic3[author] Created at: $gettopic3[showtime]";

print "</div>";

print "<div class='content-footer'></div>";

print "</div>";

$getreplies="Select * from forumtutorial_posts where parentid='$id' order by postid desc"; //getting replies

$getreplies2=mysql_query($getreplies) or die("Could not get replies");

while($getreplies3=mysql_fetch_array($getreplies2))

{

   print "<div class='content'>";

   print "<div class='content-header yellow'>$getreplies3[author] replied at $getreplies3[showtime]</div>";

   print "<div class='content-mid'>";

   $message=strip_tags($getreplies3['post']);

   $message=nl2br($message);

   print "$message";

   print "</div>";

   print "<div class='content-footer'></div>";

   print "</div>";

}

print " ";



?>

I want it to show HTML and non html.

Please show an example of what is being posted, what is being returned - both in MySQL and then in PHP. — Dan Blows, Jun 16 '12 at 07:18
Hi Blowski, In mysql the "post" bit is blanked, but everything else is filled in correctly. — NickkN, Jun 16 '12 at 07:19
And I hope this is just dummy code, as your inputs right now are completely insecure. You should really look into PDOs. — Dan Blows, Jun 16 '12 at 07:19
And when I look at the source of the page it is blank too. Only with HTML ;/ — NickkN, Jun 16 '12 at 07:19
And thanks for pointing that out Blowski.. i will look at tutorials. :) — NickkN, Jun 16 '12 at 07:22
What are the actual values in the database? What are you *expecting* it to show? It would be easiest if, in your question, you say "When I post this { code sample }, { this } is saved in the database, { this } is returned from the database, and { this } is shown on the page. Do the same for both when it is working, and when it isn't. Use a small simple example. — Dan Blows, Jun 16 '12 at 07:22
Okay sorry Blowski. I'm expecting it to show HTML. For example, I wanted it to show a picture I posted. When I try to make it bold, or add images etc it will send a blank to mysql. — NickkN, Jun 16 '12 at 07:25
But if I use it without the editor it works perfectly. Shows in database and on thread view! — NickkN, Jun 16 '12 at 07:25
You need to show the exact inputs and responses. Without those, the question is too vague. — Dan Blows, Jun 16 '12 at 07:29

score 1 · Answer 1 · answered Jun 16 '12 at 07:21

1

..but you have the strip_tags() function there which stripes any HTML or PHP tags from the string (post).

$message=strip_tags($getreplies3['post']);

You may want to use the second part of this function and add some extra parameters for those tags you would like to allow. (like BOLD, ITALICS, etc.)

$message_with_some_html = strip_tags($getreplies3['post'], '<strong><em>');

I hope I am right, please check PHP docs... :)

Also you may want to sterilize the $_POST variables before using the clients input with htmlentities() and some regular expression statement to filter out possible attack

answered Jun 16 '12 at 07:21

Milan

3,209
1
35
46

Milan I would like to allow all HTML. Is there any tutorials that would help me understand for this? ;S – NickkN Jun 16 '12 at 07:28
Hi; you may want to implement something like tinyMCE for your client's input (http://www.tinymce.com/) and also check this post for some good advice how to filter some extra spec. chars. : http://stackoverflow.com/questions/1225472/validation-detected-dangerous-client-input-post-from-tinymce-in-asp-net – Milan Jun 16 '12 at 07:43
Could you be more specific how is your page being used ? – Milan Jun 16 '12 at 07:45
It's being used like a forum? So this is what it looks like with HTML: http://i.imgur.com/zEsSv.png and this is non-html: http://i.imgur.com/TWKm0.png – NickkN Jun 16 '12 at 07:55
People post images, videos etc – NickkN Jun 16 '12 at 07:56
Hi, I see. Perhaps someone more experienced could correct me if I am wrong but considering many security issues witch such forum model I myself would wanted to have 100% control over what is being posted and how it is going to impact the system. Therefore I would disregard any 3rd party libraries ........ – Milan Jun 18 '12 at 04:51
.......with pre-written codes and used the above example. First I would allowed all HTML tags which are harmless, then I would identify all HTML characters and tags which could be potentially dangerous if misused and I would write specific rules for them (i.e.: tag would have to have some rules attached etc..). Then I would test the code with all allowed HTML and see if it works and start with CSS. Then the rest of things (scripts, links, etc.) which you decide to allow to be posted. – Milan Jun 18 '12 at 04:51

Forum not showing HTML from mysql

1 Answers1