0

In the website EasyNote I have got a problem with newlines.

On body onload I set a timer for auto-uploading a note every 3 seconds like this:

<body onload="setInterval(uploadNote,3000);current = 1;">

And the code for uploadNote is:

function uploadNote() {
    var note = current+document.getElementById(\'note\').value;  //current is the number of the note selected\' because echoed
    xmlhttp = new XMLHttpRequest();
    xmlhttp.onreadystatechange = function()
    {
        if (xmlhttp.readyState == 4 && xmlhttp.status == 200){}
    }
    xmlhttp.open("GET","uploadnote.php?q="+note,true);
    xmlhttp.send();
}

And then there is this php-code:

$note = $_GET["q"]; //contains both notenumber as first digit and note

echo($note."\n"); //for debugging reasons

$notenumber = substr($note, 0, 1);
$notecontent = substr($note, 1, strlen($note));

$notecontent = str_replace("'","''",$notecontent);
$notecontent = nl2br($notecontent);

echo($notecontent); //for debugging reasons

$request = 'UPDATE notes SET note'.$notenumber.' = "'.$notecontent.'" WHERE mail LIKE "'.$email.'"';
$result = mysql_query($request);

Now, the problem is, that the newline characters in the textarea are erased completely, so the result of the php-snippet is twice the text without newlines and in the database also. However, there is no problem showing newlines in the textarea when I insert them directly in the database.

Help would be greatly appreciated.

EDIT: updated uploadNote() function:

function uploadNote() {
    var note = current+document.getElementById(\'note\').value;
    xmlhttp = new XMLHttpRequest();
    xmlhttp.onreadystatechange = function()
    {
        if (xmlhttp.readyState == 4 && xmlhttp.status == 200){}
    }
    xmlhttp.open("POST","uploadnote.php",true);
    xmlhttp.send("note="+note);
}

and php:

$note = $_POST["note"];

echo($note."\n");

$notenumber = substr($note, 0, 1);
$notecontent = substr($note, 1, strlen($note));

$notecontent = mysql_real_escape_string($notecontent);

echo($notecontent);

$request = 'UPDATE notes SET note'.$notenumber.' = "'.$notecontent.'" WHERE mail LIKE "'.$email.'"';
$result = mysql_query($request);

Problem now is that nothing works. The note won't update in the MySQL db.

Anthimos Kouroutsidis
  • 45
  • 6

1 Answers1

0

The problems with your code:

  1. Don't use a GET request for something that changes things on the server, use POST.
  2. Database queries need the variable parts escaped. Use mysql_real_escape_string() on the value that is written to SQL.
  3. Do not use any html-centric formatting when saving data to the database. You can use it when outputting the code back to the browser.
  4. Inside a textarea, you are not allowed to use any HTML markup, so using <br> for a newline is wrong.
Sven
  • 69,403
  • 10
  • 107
  • 109
  • OK, I tried to consider your advices, but now it doesn't work at all.. Please help. – Anthimos Kouroutsidis Oct 13 '13 at 21:20
  • And the generated query string is WHAT? Are there any errors from mysql? – Sven Oct 13 '13 at 21:33
  • There seems to be something wrong with the AJAX-request, otherwise `echo($note."\n");` would have returned anything – Anthimos Kouroutsidis Oct 13 '13 at 21:40
  • You should [send a content-type header](http://stackoverflow.com/questions/7071544/post-from-xmlhttp-with-parameters) of `Content-type: application/x-www-form-urlencoded` to allow PHP to parse the data. Additionally, you should escape the data with [encodeURIComponent(str)](http://stackoverflow.com/questions/332872/how-to-encode-a-url-in-javascript). – Sven Oct 13 '13 at 21:50