PHP does not save HTML code to database

Question

PHP 5.4 (recommended by my host) MySQL 5 I have no logs.

I have a script that was working perfectly fine a week ago. I've made absolutely ZERO changes to it at all. It's a simple news system script.

It use to allow saving with html text such as bold, italics, underline etc. When editing the news it would display it the same way it was saved. The only thing that changed was the
. It would be added before saving to the database but removed when displayed.

This is the portion of the script that saves the information. I took out any information that was not valid to the question. Only displaying the content containing the issue.

<?php require('check.php'); 
require_once('settings.php');

if (isset($_POST['update'])) {

    $id = htmlspecialchars(strip_tags($_POST['id']));
    $month = htmlspecialchars(strip_tags($_POST['month']));
    $date = htmlspecialchars(strip_tags($_POST['date']));
    $year = htmlspecialchars(strip_tags($_POST['year']));
    $time = htmlspecialchars(strip_tags($_POST['time']));
    $entry = $_POST['entry'];
    $avatar = $_POST['avatar'];
    $title = htmlspecialchars(strip_tags($_POST['title']));

/*    $entry = nl2br($entry); */
    $entry = preg_replace("/\r\n|\r/", "<br />", $entry);

    if (!get_magic_quotes_gpc()) {
        $title = addslashes($title);
        $entry = addslashes($entry);
    }

    $timestamp = strtotime ($month . " " . $date . " " . $year . " " . $time);

    $result = mysqli_query($GLOBALS["___mysqli_ston"], "UPDATE my_blog SET timestamp='$timestamp', title='$title', entry='$entry', avatar='$avatar' WHERE id='$id' LIMIT 1") or print ("Can't update entry.<br />" . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)));

    header("Location: ../entry.php?id=" . $id);

}

if (isset($_POST['delete'])) {
    $id = (int)$_POST['id'];
    $result = mysqli_query($GLOBALS["___mysqli_ston"], "DELETE FROM my_blog WHERE id='$id'") or print ("<p class=\"error\"Can't delete entry.<br />" . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . "</p>");
    if ($result != false) {
        print "<p class=\"success\">The entry has been successfully deleted from the database.</p>";
        exit;
    }
}

if (!isset($_GET['id']) || empty($_GET['id']) || !is_numeric($_GET['id'])) {
    die("Invalid entry ID.");
}
else {
    $id = (int)$_GET['id'];
}

require_once("header.php");
$result = mysqli_query($GLOBALS["___mysqli_ston"], "SELECT * FROM my_blog WHERE id='$id'") or print ("Can't select entry.<br />" . $sql . "<br />" . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)));

while ($row = mysqli_fetch_array($result)) {
    $old_timestamp = $row['timestamp'];
    $old_title = stripslashes($row['title']);
    $old_entry = nl2br($row['entry']);
    $old_avatar = stripslashes($row['avatar']);
    $old_password = $row['password'];

    $old_title = str_replace('"','\'',$old_title);
    $old_entry = str_replace('\r\n', '<br />', $old_entry);

    $old_month = date("F",$old_timestamp);
    $old_date = date("d",$old_timestamp);
    $old_year = date("Y",$old_timestamp);
    $old_time = date("H:i",$old_timestamp);
}
?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p><input class="form-control" type="hidden" name="id" value="<?php echo $id; ?>" />
<b><label for="month">Date:</label></b>
<table width=100%> 
<tr>
<td width="25%"><input class="form-control" type="text" name="date" id="date" size="2" value="<?php echo $old_date; ?>" /></td>
<td width="50%"><select class="form-control" name="month" id="month">
<option value="<?php echo $old_month; ?>"><?php echo $old_month; ?></option>
<option value="January">January</option>
<option value="February">February</option>
<option value="March">March</option>
<option value="April">April</option>
<option value="May">May</option>
<option value="June">June</option>
<option value="July">July</option>
<option value="August">August</option>
<option value="September">September</option>
<option value="October">October</option>
<option value="November">November</option>
<option value="December">December</option>
</select></td>
<td width="25%"><select class="form-control" name="year" id="year">
<option value="<?php echo $old_year; ?>"><?php echo $old_year; ?></option>
<option value="2013">2013</option>
<option value="2014">2014</option>
<option value="2015">2015</option>
<option value="2016">2016</option>
<option value="2017">2017</option>
<option value="2018">2018</option>
<option value="2019">2019</option>
<option value="2020">2020</option>
</select></td>
</tr>
<tr>
<td><b><label for="time">Time:</label></b></td>
<td><b><label for="title">Title:</label></b></td>
<td><b><label for="avatar">Icon:</label></b></td>
</tr>
<tr>
<td><input class="form-control" type="text" name="time" id="time" size="5" value="<?php echo $old_time; ?>" /></td>
<td><input class="form-control" type="text" name="title" id="title" value="<?php echo $old_title; ?>" size="40" /></td>
<td><input class="form-control" type="text" name="avatar" id="avatar" size="40" maxlength="100" value="<?php echo $old_avatar; ?>" /></td>
</tr>
</table>
<p><textarea class="form-control" cols="80" rows="20" name="entry" id="entry"><?php echo $old_entry; ?></textarea></p>
<p><button type="submit" name="update" id="update" class="btn btn-default">Update!</button></p>
</form>
<p><strong>Before deleting, be absolutely sure - there is no confirmation nor is there any way to reverse deletion!</strong><br />
<small>(You may be shown your entry again after deleting - do not worry, it HAS been deleted.  Check the main page of the blog if you are still unsure.</small></p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input type="hidden" name="id" id="id" value="<?php echo $id; ?>" />
<button type="submit" name="delete" id="delete" class="btn btn-default">Yes, I am absolutely and positively sure I want to delete this entry.</button>
</form>

<?php
require_once("footer.php");
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
?>

I've tried to see if this was a host issue but apparently many people across many host that use this specific script are having this issue. It all started at the exact same time for everyone. But not one person has a clue what is going on. Everyone is running at least on PHP 5.4 nothing older.

It's just really strange how something that was working stopped working and was looking for some insight on what could be the issue. Google has been of no help and I can't find anything here on stack overflow.

Please note that I have tried changing the way of saving the information. I know using nl2br() should actually not be used to save information to the database only to display information from the datasbase. But I did not write the script and it is no longer being kept by the original developer of the script.

I've converted everything to mysqli_ with no changes to the problem.

settings.php

<?php
    $users = array($user => md5($pass));
    $salt = substr(md5(date("F")), 8);
    $cards_seperate_directory = FALSE;

    $connect = mysql_connect("$db_server", "$db_user", "$db_password")
        or die( DATABASE_CONNECT_ERROR . mysql_error() );
    mysql_select_db("$db_database", $connect)
        or die( DATABASE_CONNECT_ERROR . mysql_error() );

    function CleanUp($data) {
        $data = trim(htmlentities(strip_tags($data)));
        return $data;
        }

    function escape_sql($sql) {
        if (get_magic_quotes_gpc()) $sql = stripslashes($sql);
        return mysql_real_escape_string($sql);
        }
?>

Answer 1

Possible issues:

php has been updated by your server, which can often result in nested functionality breaking with large step upgrades. I found that with strip_tags() this happened to me last year.

As stated by Jay in the comments, do some standard PHP error checking, read your error logs file. PHP has an excellent error output system and will show you what's wrong, even if not showing you how to fix it.

Email your server hosts and specifically and categorically ask them if they've done updates and changes to the system, this includes things like updates to your php.ini file which can effect a lot of changes. They should always inform you when updating stuff but sometimes they don't.

I find it hard to see that this is a wide internet based issue with competent programmers if it is still on code that is five years out of date (MySQL) .

The whole magic quotes is something that is long deprecated and maybe actually deleted functionality(?). Magic quotes is a very poor practise to use, so much so I think it was removed in PHP5. Avoid it with extreme prejudice.

Do not get angry at people trying to help you here. Please. I know, I do really know it's frustrating when stuff doesn't work, but telling someone who is taking time out to advise and help you to "use your brain" when they can only go on as much information as you provide is rude and will not encourage others to assist you.

So, routes to solve your issue:

1) read your comments from Jay stating about setting up PHP error reporting and then rerun the script, then establish the error log is being generated (with deliberate errors) and then download the log and read it, it will give you a valuable insight into where the issue is.

2) Update to MySQLi. Do this as soon as practically possible. It will not effect / damage the working of your scripts but will improve them better.

3) Get in touch with your server hosts and get some specific clarification as to what and if things have been updated

4) Check all of your files from a historic GIT or similar depository, as your code is very poorly written and I'm sure you'll have security flaws aplenty, so there is a possibility some malware or hack could (possibly) compromised you.

5) Hold your tongue, don't bite the people that take time to assist you.

6) Feedback, update your question with the new information: what version of PHP are you running, what version of MySQL are you running, what does your Error log say? Have you read over http://php.net/manual/en/function.nl2br.php for possible issues, including in the comments?

7) we can then give you better and clearer more helpful solutions

Updated issues:

$result = mysqli_query($GLOBALS["___mysqli_ston"], "UPDATE my_blog SET timestamp='$timestamp', title='$title', entry='$entry', avatar='$avatar' WHERE id='$id' LIMIT 1") or print ("Can't update entry.<br />" . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)));

This row has a pile of what look like poorly implemented PHP Globals but these are really old and deprecated as well, with PHP 5.4 you say you have, these globals are useless and not to be used.

What made you put $GLOBALS into your MySQL? Where do these varaibles appear and why are they written in such a poor syntax. These will NOT help your cause.

Answer 2

Improved Version:

Please note: All functions referencing magic quotes really shouldn't be needed and should be removed. I have used the data from the settings.php to set up the $dbLink which is the database link required for MySQLi.

I have also set the error logging to appear in your "tmp/php-error.log" this will NOT be in your web directory but will be below your web directory and accessible by FTP. I can't set a better location as I dont know the structure of your hosting, but feel free to edit.

Where you aware that your settings.php mysql_connect was NOT MySQLi? The code below should run and should give you any error outputs including notices and warnings to the file specified. Upload this and see how it runs.

Also not that on your original code there was some require and jazz at the bottom of the HTML content, you don't need that, for this debugging.

I strongly advise against that automatic MySQLi converter.

Let me know how this goes....

require('check.php');
//require_once('settings.php');

$users = array($user => md5($pass));
$salt = substr(md5(date("F")), 8);
$cards_seperate_directory = FALSE;

$dbLink = mysqli_connect($db_server, $db_user, $db_password, $db_database);


error_reporting(E_ALL);
ini_set("error_log", "/tmp/php-error.log");
ini_set('display_errors', 1);

if (isset($_POST['update'])) {
    $id = strip_tags($_POST['id']);
    $id = htmlspecialchars($id);
    $month = strip_tags($_POST['month']);
    $month = htmlspecialchars($month);
    $date = strip_tags($_POST['date']);
    $date = htmlspecialchars($date);
    $year = strip_tags($_POST['year']);
    $year = htmlspecialchars($year);
    $time = strip_tags($_POST['time']);
    $time = htmlspecialchars($time);

    $avatar = $_POST['avatar'];
    $title = strip_tags($_POST['title']);
    $title = htmlspecialchars($title);

    $entry = $_POST['entry'];
    /*    $entry = nl2br($entry); */
    $entry = preg_replace("/\r\n|\r/", "<br />", $entry);

    $timestamp = strtotime ($month . " " . $date . " " . $year . " " . $time);

    $result = mysqli_query( $dbLink, "UPDATE my_blog SET timestamp='$timestamp', title='$title', entry='$entry',
avatar='$avatar' WHERE id='$id' LIMIT 1") or die(mysqli_error($dbLink));

    header("Location: ../entry.php?id=" . $id);
    die();
}

if (isset($_POST['delete'])) {
    $id = (int)$_POST['id']; //assumes the ID is an int.
    if ($id > 0 ) {
        $result = mysqli_query($dbLink, "DELETE FROM my_blog WHERE id='$id' LIMIT 1 ") or die(mysqli_error($dbLink));
        if ($result !== false) {
            print "<p class='success'>The entry has been successfully deleted from the database.</p>";
            die();
        }
    }
}

if (!isset($_GET['id']) || empty($_GET['id']) || !is_numeric($_GET['id'])) {
    die("Invalid entry ID.");
}
else {
    $id = (int)$_GET['id'];
}

require_once("header.php");
$result = mysqli_query($dbLink, "SELECT * FROM my_blog WHERE id='$id' LIMIT 1") or die(mysqli_error($dbLink));

while ($row = mysqli_fetch_array($result)) {
    $old_timestamp = $row['timestamp'];
    $old_title = stripslashes($row['title']);
    $old_entry = nl2br($row['entry']);
    $old_avatar = stripslashes($row['avatar']);
    $old_password = $row['password'];

    $old_title = str_replace('"','\'',$old_title);
    $old_entry = str_replace('\r\n', '<br />', $old_entry);

    $old_month = date("F",$old_timestamp);
    $old_date = date("d",$old_timestamp);
    $old_year = date("Y",$old_timestamp);
    $old_time = date("H:i",$old_timestamp);
}
?>

(rest of file)