-1

I'm really was struggling the last few days on this problem. And I'd really appreciate some help. I'm working at the moment on a blog for a local politician in my town. It's basically the first time im developing in php, so please dont judge me. And here comes my problem: My mate wants to publish news and blogs on his homepage. So I created a little CMS in php to help him do this. It is all working perfectly except for the editing part. My problems with editing are:

  • If he wants some formatting I found the nl2br() method really helpful, but when editing a second time the same blog-entry it is doubling all the <br> tags in the text. Do you guys have any idea how I could do this smoother?
  • The next problem lies in publishing links. If he is trying to include links in his blogs with normal HTML tags (<a href="..."></a>) SQL always comes up with an error because of wrong syntax. So I used mysqli_real_escape_string() to prevent this. But instead of fixing the problem it just made a question marks infront of all special characters.

If there is anybody who could help me a little bit, I would really appreciate it! Thank you guys.

snd1
  • 3
  • 1

1 Answers1

0

  1. Only use nl2br() when outputting HTML. When he wants to edit something, leave it as it is; the \n character will be parsed in a text box (which I assume is what you're using) anyway.

  2. Yeah, you need to escape them (and I'd suggest you look into prepared statements to be extra secure). They come up as question marks because you are probably using latin encoding in your database when it should be UTF-8 (information on how to convert here).

All in all, working on your own CMS is a bad idea. Since you're going for it anyway, I'd really advise you to look at other security holes you may face (start here).

UPDATE: Instead of:

<input type="hidden" name="oldtext" value="<?php echo $_text;?>">

You should do:

<textarea name="oldtext"><?php echo $_text; ?></textarea>

And you don't even need strip_tags. Also, you don't need utf8_encode.

Community
  • 1
  • 1
Shahar
  • 1,687
  • 2
  • 12
  • 18
  • Thanks for answering. Well I personally don't think security won't cause any problems. The only problems I got are with this editing method. 1. If I don't use the nl2br() method, the text will be in one line, which is not very nice ;) 2. The question marks coming up are not from the wrong encoding, they are literally quesionmarks '?'. – snd1 Jan 16 '15 at 22:56
  • @snd1 Just put the text straight from the SQL database in the text area and you should be fine. – Shahar Jan 16 '15 at 22:58
  • Straight from the form to the database will return an String in one line afterwards... – snd1 Jan 16 '15 at 23:13
  • @snd1 If you showed some more code I could see why. – Shahar Jan 16 '15 at 23:14
  • Allright, will give you some come: Here comes the form: http://codeviewer.org/view/code:4a6b – snd1 Jan 16 '15 at 23:15
  • @snd1 I actually meant the editing page - how does text get there? And why are you using `mysql_` over `mysqli_`? As for the question marks, it's most likely encoding. Double check that your database fields are `utf8mb4` encoding. – Shahar Jan 16 '15 at 23:29
  • Okay thank you very much, your comment about nl2br() when outputting, that fixes the double
    's all the time... I double checked the database with utf8mb4 encodeing, but when I'm not useing utf8_encode() when displaying, the german 'umlaute' will not be displayed correctly in html. Funny thing is it works perfectly fine on my local XAMPP, but not online on his hosters servers...     – snd1 Jan 17 '15 at 17:36
  • @snd1 Maybe you missed something. I followed the top answer [here](http://stackoverflow.com/questions/279170/utf-8-all-the-way-through) and it works fine for me. – Shahar Jan 17 '15 at 17:53
  • I really appreciate your help, don't get me wrong please, but it's still not working. I triple-checked now the encoding, they are all on utf8mb4_bin. But still, if I'm not using the utf8_encode() method to display text content all the german umlaute will be displayed as this ugly questionmark-symbol. – snd1 Jan 18 '15 at 09:50
  • **EDIT:** Okay, thanks for the next help Shahar, "And why are you using mysql_ over mysqli_?" I didn't really see or think about this part... But the fault was clearly there, I wanted to use mysqli_* and due to the fact that the parameters are changed in mysql_* the escaping didn't work -.-' Really sorry that I missed that point. – snd1 Jan 18 '15 at 09:57
  • @snd1 So what's up? Do you need any more help? And yeah, you should change to mysqli. – Shahar Jan 18 '15 at 15:46