php form not adding links to database

[mrooks1984]

hello, i am hoping someone can help, i have a form that has a body and title fields and then sends to this function below.

it all works fine, but when i add a image or a link it stores it in the text field of the db like this:

 

<IMG alt=\"\" src=\"/public/images/231781538234094.jpg\" width=796></P>

 

this is what it should be /public/images/231781538234094.jpg

 

so when i view the image it doesent show it and i right click the image and goto image properties and i get this:

http://test.cyberglide.co.uk/%22public/images/231781538234094.jpg/%22

 

function content_update() {

	$title = mysql_real_escape_string($_POST['title']);
	$body = mysql_real_escape_string($_POST['body']);
	$page = mysql_real_escape_string($_POST['page']);
	$location = mysql_real_escape_string($_POST['location']);
	$id = mysql_real_escape_string($_POST['id']);

	$sql = "UPDATE content SET title = '$title', body = '$body', page = '$page', location = '$location' WHERE id = '$id'";
	$res = mysql_query($sql) or die(mysql_error());
		echo "<script>window.location='content.php'</script>";
}

 

if i manually edit it on the db it works fine

 

please help, many thanks.

[Psycho]

You have not provided enough information to identify/fix the problem. The query is going to insert the data in those variables. So, if the value in the database contains <IMG alt=\"\" src=\"/public/images/231781538234094.jpg\" width=796></P> then that is what is in the data you are inserting.

 

Exactly which field is the one you are having a problem with? What kind of input field are you using? What is the exact data you are entering into that field? What is the value of the POST data before and after any sanitizing you are doing?

 

Also, I assume ID is supposed to be an integer. In that case you should be using intval() instead of mysql_real_escape_string() which is meant for "string" data.

[mrooks1984]

thanks for the replay, ok here is the form:

 

<div id ="content_form">
  <form method="post" action="">
<input type="hidden" name="id" value="<?php echo $content_id ?>">
        <div id="content_title">
        <label for="title">Title:</label>
        </div>
        <div id="content_box">
        <input name="title" type="text" id="title" size="60" value="<?php echo $content_title ?>" />
   </div>
        <div id="content_title">
        <label for="page">Page:</label>
        </div>
        <div id="content_box">
    <?php 
$res = mysql_query("SELECT * FROM page ORDER BY ID") or die(mysql_error());  
    echo "<select name = \"page\">";  
    while($row=mysql_fetch_assoc($res)) {  
        echo "<option value=\"$row[name]\"> $row[name]</option>";  
    }  
    echo "</select>";
}
 ?>
  </div>
      <div id="content_title">
    <label for="location">Location:</label>
    </div>
    <div id="content_box">
    <select name="location">
      <option value="1">content 1</option>
      <option value="2">content 2</option>
      <option value="3">content 3</option>
      <option value="4">content 4</option>
    </select>
     </div>
        <div id="content_title">
        <label for="body">Body:</label>
        </div>
        <div id="content_body">
  <textarea name="body" id="body" rows="10" cols="100"><?php echo $content_body ?></textarea>
  </div>
  <div id="content_body"><input type='submit' name='submit' value='Update Content'></div>
  </form>
  </div>
    <?php 
if(isset($_POST['submit']))
{
$admin->content_update();
}
?>

 

upload script that uploads the image:

 

define('NICUPLOAD_PATH', '../public/images'); // Set the path (relative or absolute) to
                                      // the directory to save image files
                                      
define('NICUPLOAD_URI',  '../public/images');   // Set the URL (relative or absolute) to
                                      // the directory defined above

$nicupload_allowed_extensions = array('jpg','jpeg','png','gif','bmp');

// You should not need to modify below this line

$rfc1867 = function_exists('apc_fetch') && ini_get('apc.rfc1867');

if(!function_exists('json_encode')) {
    die('{"error" : "Image upload host does not have the required dependicies (json_encode/decode)"}');
}

$id = $_POST['APC_UPLOAD_PROGRESS'];
if(empty($id)) {
    $id = $_GET['id'];
}

if($_SERVER['REQUEST_METHOD']=='POST') { // Upload is complete
    if(empty($id) || !is_numeric($id)) {
        nicupload_error('Invalid Upload ID');
    }
    if(!is_dir(NICUPLOAD_PATH) || !is_writable(NICUPLOAD_PATH)) {
        nicupload_error('Upload directory '.NICUPLOAD_PATH.' must exist and have write permissions on the server');
    }
    
    $file = $_FILES['nicImage'];
    $image = $file['tmp_name'];
    
    $max_upload_size = ini_max_upload_size();
    if(!$file) {
        nicupload_error('Must be less than '.bytes_to_readable($max_upload_size));
    }
    
    $ext = strtolower(substr(strrchr($file['name'], '.'), 1));
    @$size = getimagesize($image);
    if(!$size || !in_array($ext, $nicupload_allowed_extensions)) {
        nicupload_error('Invalid image file, must be a valid image less than '.bytes_to_readable($max_upload_size));
    }
    
    $filename = $id.'.'.$ext;
    $path = NICUPLOAD_PATH.'/'.$filename;
    
    if(!move_uploaded_file($image, $path)) {
        nicupload_error('Server error, failed to move file');
    }
    
    if($rfc1867) {
        $status = apc_fetch('upload_'.$id);
    }
    if(!$status) {
        $status = array();
    }
    $status['done'] = 1;
    $status['width'] = $size[0];
    $status['url'] = nicupload_file_uri($filename);
    
    if($rfc1867) {
        apc_store('upload_'.$id, $status);
    }

    nicupload_output($status, $rfc1867);
    exit;
} else if(isset($_GET['check'])) { // Upload progress check
    $check = $_GET['check'];
    if(!is_numeric($check)) {
        nicupload_error('Invalid upload progress id');
    }
    
    if($rfc1867) {
        $status = apc_fetch('upload_'.$check);
        
        if($status['total'] > 500000 && $status['current']/$status['total'] < 0.9 ) { // Large file and we are < 90% complete
	$status['interval'] = 3000;
} else if($status['total'] > 200000 && $status['current']/$status['total'] < 0.8 ) { // Is this a largeish file and we are < 80% complete
	$status['interval'] = 2000;
} else {
	$status['interval'] = 1000;
}
        
        nicupload_output($status);
    } else {
        $status = array();
        $status['noprogress'] = true;
        foreach($nicupload_allowed_extensions as $e) {
            if(file_exists(NICUPLOAD_PATH.'/'.$check.'.'.$e)) {
                $ext = $e;
                break;
            }
        }
        if($ext) {
            $status['url'] = nicupload_file_uri($check.'.'.$ext);
        }
        nicupload_output($status);
    }
}


// UTILITY FUNCTIONS

function nicupload_error($msg) {
    echo nicupload_output(array('error' => $msg)); 
}

function nicupload_output($status, $showLoadingMsg = false) {
    $script = '
        try {
            '.(($_SERVER['REQUEST_METHOD']=='POST') ? 'top.' : '').'nicUploadButton.statusCb('.json_encode($status).');
        } catch(e) { alert(e.message); }
    ';
    
    if($_SERVER['REQUEST_METHOD']=='POST') {
        echo '<script>'.$script.'</script>';
    } else {
        echo $script;
    }
    
    if($_SERVER['REQUEST_METHOD']=='POST' && $showLoadingMsg) {      

echo <<<END
    <html><body>
        <div id="uploadingMessage" style="text-align: center; font-size: 14px;">
            <img src="images/ajax-loader.gif" style="float: right; margin-right: 40px;" />
            <strong>Uploading...</strong><br />
            Please wait
        </div>
    </body></html>
END;

    }
    
    exit;
}

function nicupload_file_uri($filename) {
    return NICUPLOAD_URI.'/'.$filename;
}

function ini_max_upload_size() {
    $post_size = ini_get('post_max_size');
    $upload_size = ini_get('upload_max_filesize');
    if(!$post_size) $post_size = '8M';
    if(!$upload_size) $upload_size = '2M';
    
    return min( ini_bytes_from_string($post_size), ini_bytes_from_string($upload_size) );
}

function ini_bytes_from_string($val) {
    $val = trim($val);
    $last = strtolower($val[strlen($val)-1]);
    switch($last) {
        // The 'G' modifier is available since PHP 5.1.0
        case 'g':
            $val *= 1024;
        case 'm':
            $val *= 1024;
        case 'k':
            $val *= 1024;
    }
    return $val;
}

function bytes_to_readable( $bytes ) {
    if ($bytes<=0)
        return '0 Byte';
   
    $convention=1000; //[1000->10^x|1024->2^x]
    $s=array('B', 'kB', 'MB', 'GB', 'TB', 'PB', 'EB', 'ZB');
    $e=floor(log($bytes,$convention));
    return round($bytes/pow($convention,$e),2).' '.$s[$e];
}

?>

 

the function:

 

	function content_update() {

	$title = mysql_real_escape_string($_POST['title']);
	$body = mysql_real_escape_string($_POST['body']);
	$page = mysql_real_escape_string($_POST['page']);
	$location = mysql_real_escape_string($_POST['location']);
	$id = mysql_real_escape_string($_POST['id']);

	$sql = "UPDATE content SET title = '$title', body = '$body', page = '$page', location = '$location' WHERE id = '$id'";
	$res = mysql_query($sql) or die(mysql_error());
		echo "<script>window.location='content.php'</script>";
}

 

the db title is varchar and the body one is text, its the body one that is storing all the image info text etc

id is int, primary key and auto

 

i try what you suggested, thanks.

[grissom]

In your function content_update() remove the line which does the window location redirect and instead, put in a debugging line :

 

echo 'The body content which I have just saved is '.$body.'<BR>';

 

and paste in this thread what it comes back with

[mrooks1984]

The body content which I have just saved is <P>Welcome To Cyberglide Test site.<BR></P>\r\n<P><IMG src=\\\"../public/images/573428655913238.jpg\\\" width=796></P><BR></div>

[mrooks1984]

right it works is i take change it from this:

 

$body = mysql_real_escape_string($_POST['body']);

 

to this:

 

$body = $_POST['body'];

 

i have been told to use rel escape string to be more secure on everything you can, is this true?

if i left it without that, is it not as secure?

if its less secure how can i fix this, many thanks.

[Psycho]

OK, let's start with your first POST which included misinformation. You stated that the stored value contained this

<IMG alt=\"\" src=\"/public/images/231781538234094.jpg\" width=796></P>

and should instead contain this

/public/images/231781538234094.jpg

 

You inferred that ONLY the image source was supposed to be in the saved content and that even the image tag and other parameters were there erroneously. Please be more specific in the future.

 

i have been told to use rel escape string to be more secure on everything you can, is this true?

Yes and no. You should use the right sanitization process based upon the data type. As I stated before, the ID value should be run through intval() to force it to be an integer.

 

Also, I asked previously what is the value before and after you perform any sensitization? The last thing you posted shows what the value is after sensitization. But, from that I can see what the problem is: Magic Quotes

 

Magic quotes is a process whereby certain characters are escaped on-the-fly when being sent via POST/GET on the server. This sounds like a good thing, but the problem is that data should be escaped as appropriate to the repository that it is being stored. That is why you should be using mysql_real_escape_string() for that data. But, since it is getting automatically escape via the POST transaction, mysql_real_escape_string() is escaping the escaped data. You should turn off magic quotes on your server (if you have that ability) or you can implement a process to disable them at run time: http://www.php.net/manual/en/security.magicquotes.disabling.php

[grissom]

I don't know if it makes any difference, but in a one-line php statement, I still always include the semicolon at the end.

 

So where you have <?php echo $content_body ?>  I would put <?php echo $content_body; ?>

 

You have a few examples of this kind of thing in your code. Maybe it's just me, but I would put the semicolon in there anyway.

[Psycho]

I don't know if it makes any difference, but in a one-line php statement, I still always include the semicolon at the end.

 

So where you have <?php echo $content_body ?>  I would put <?php echo $content_body; ?>

 

You have a few examples of this kind of thing in your code. Maybe it's just me, but I would put the semicolon in there anyway.

 

I always include the semi-colon as well, but that is really a personal preference thing. The last line of code before a closing PHP tag ( ?> ) does not require a semi-colon. So, his code is perfectly valid. However, I do feel it is good practice to use it. Otherwise you end up adding more code after the last line and you get parse errors.

 

From the manual (emphasis added): http://www.php.net/manual/en/language.basic-syntax.instruction-separation.php

As in C or Perl, PHP requires instructions to be terminated with a semicolon at the end of each statement. The closing tag of a block of PHP code automatically implies a semicolon; you do not need to have a semicolon terminating the last line of a PHP block. The closing tag for the block will include the immediately trailing newline if one is present.