0

I have a database table that contains these rows, "id" ,"link" and "name" with link being : 

<a href=\"https://www.sample.com/file1.php\">[1-200]< /a> <a href=\"https://www.sample.com/file2.php\">[201-224]< /a>

and name :

item1

I have the following PHP code to get the info from the database and return it to visitors. My problem is that the link for file2.php, is not only applied as hyper link for [201-224], the hyperlink is applied for the rest of the page content also. How do I prevent this? And thanks in advance. 

echo "</br> ".$name=  $row['name'];
        echo "</br> ".$Torrentlink= preg_replace('/\\\\/', '',$row['Torrentlink']);

        echo "</br> ";
        echo "</br> ";echo "</br> ";
        echo "the rest of my text goes here ";
u19981010
  • 5
  • 7
  • Not directly related to your question, but storing view data like an HTML string inside of a database seems like a violation of the separation of concerns principle to me. Personally, I would store the URLs in the database and let the database deal with data, and render the actual anchor tags in the template file. – kingsfoil Sep 23 '18 at 13:47
  • On another note, it doesn’t look like the output here is sanitized, which will leave this page open to XSS vulnerabilities. You should make sure the strings you render here are html safe. https://stackoverflow.com/q/1996122/1596460 – kingsfoil Sep 23 '18 at 13:57
  • Also, welcome to StackOverflow! – kingsfoil Sep 23 '18 at 13:59
  • @0112, thanks a lot for your contribution. the number of files (and hyperlinks) may vary from row to another, that's why I'm storing HTML in my database. Data are submitted to the database using prepared statement. that said, do I still need to sanitize my output? And thanks a lot for your help – u19981010 Sep 23 '18 at 22:20
  • Well, it depends. Are you html escaping data before you write it to the DB? – kingsfoil Sep 23 '18 at 22:43
  • Is this the complete chunk of code? It looks to me like there should be a loop which iterates over each row you’re returning from the DB call. Are you doing it that way? – kingsfoil Sep 23 '18 at 22:47
  • Yes, I solved my problem, it was just an extra space after backslash. And yes, there is a loop that iterates over the rows. – u19981010 Sep 24 '18 at 17:26

3 Answers3

1

This is a terrible way to handle this type of data. If you know they are all links then you should only be storing the link and the name (of course id and other meta data could be useful). Your current situation allows for too many errors and a maintenance problem for those working behind you. If you do not want to create a record for each link, consider storing them as JSON or some other format.

Example: (Store JSON in DB as VARCHAR)

<?php

//Populate variable from DB
//$TorrentLinks = $row{'Torrentlink'};
$TorrentLinks = '[
     {"url":"https://www.sample.com/file1.php","text":"[1-200]"},
     {"url":"https://www.sample.com/file2.php","text":"[201-224]"}
]';

//Convert to array
$jsonLinks = json_decode($TorrentLinks,true);

//Iterate and print links
foreach ($jsonLinks as $key => $value) {
    echo "<a href=\"{$value["url"]}\">{$value["text"]}</a><br />";
}

Results:

<a href="https://www.sample.com/file1.php">[1-200]</a>
<a href="https://www.sample.com/file2.php">[201-224]</a>

Depending on how you capture the data, you could also use something like htmlspecialchars() to keep the special characters from executing.

Daniel Gale
  • 643
  • 4
  • 13
0

I think there's a problem with your preg_replace('/\\\\/', '',$row['Torrentlink']);

/\\\\/ finds text with double backslash \\. It seems that your intention is to find only single backslashes to get rid of them in your links.

So try replacing it with

preg_replace('/\\/', '',$row['Torrentlink']);

For example https://regexr.com/ is a good place to check your regular expressions.

AIPohja
  • 1
  • 2
  • thanks for your help, I tried your answer but I got a warning and it didn't work( Warning: preg_replace(): No ending delimiter '/' found in C:\xampp\htdocs\). – u19981010 Sep 23 '18 at 22:15
0

the error was simply the input html text.

the problem was the " < /a> " in the line: 

<a href=\"https://www.sample.com/file1.php\">[1-200]< /a> <a href=\"https://www.sample.com/file2.php\">[201-224]< /a>

I had a space before the the backslash.

u19981010
  • 5
  • 7