Text storage and database selection

[CynePhoba]

Hey guys,

 

I'm trying to build a simple 'blogging engine' as a fun side project. At the moment i'm mainly having trouble with 2 things -

 

1. What is the best way that the administrator can input the data (with linebreaks, etc) and then have it stored in the database with this formatting so that when it is called from the database, it shows up the same on the page?

 

2. How do i go about selecting only certain posts from the database? I have tried doing a /post.php?id=12 and then an SQL statement "WHERE post_id=" . $id (in the correct formatting, of course) but this didnt seem to work.

 

 

Any help would be appreciated.

 

-CynePhoba

[smoseley]

1. If an admin is doing all the posts, just use TinyMCE or similar to allow them to create HTML in the browser and insert that HTML directly into the table.  If a 3rd party enters text, it's best to strip_tags and replace breaks with \n or paragraphs with \n\n going into the table, then replace \n with <br /> for display.

 

2. Try using "... WHERE post_id = " . ((int) $_GET['id']);

[scootstah]

1. You don't need to do anything to store linebreaks. If you are submitting data from a textarea and there are linebreaks in the textarea, there will be linebreaks in the database. They are invisible characters so you cannot see them, but they are there. In order to make them appear on the page once you retrieve the information all you need to do is use nl2br to convert the invisible \n characters to HTML <br /> tags.

 

2. But what is $id?

[CynePhoba]

include '/static/includes/dbconnect.php';

if (isset($_post['pid']))
{
$pid=$_get['pid'];
$postquery = "SELECT * FROM posts WHERE postid =" . $pid;
$resultposts = mysql_query ($postquery);

if (!$resultposts) {
    $message  = 'Invalid query: ' . mysql_error() . "\n";
    $message .= 'Whole query: ' . $resultposts;
    die($message);
}

while ($row = mysql_fetch_assoc($resultposts)) {
    echo $row['posttitle'];
echo '<br/>';
    echo $row['postcontent'];
echo '<br/>';
echo '<br/>';
}

}

 

That's what I'm using to read $id. It is sent via the URL.

[Jessica]

$_POST is for forms, you'll need to use $_GET.

Also, pick id or pid, don't have the url say id and then expect to access it with pid

 

Lastly,

"$message .= 'Whole query: ' . $resultposts;

 

Will not show you your query.

[CynePhoba]

Ahh ok. Thankyou (:

[smoseley]

Make sure ti intval it to prevent SQL injection (as per my example in post #2)

[CynePhoba]

Yes, I will do that.

 

Also one quick question - at the moment I'm posting the text from the text box via URL to the next page, where it is inserted into the text box. I haven't done a lot of php, but I get the feeling that this is the wrong way to be doing this.

 

How should I go about getting the text from the text box and putting it into the database?

[smoseley]

<form method="post">

 

Always use $_POST data for forms.  For one thing, the querystring is limited in the amount of data it can handle.  Post also prevents a lot of simple hacks to your site.

 

Besides that, there's the whole HTTP REST spec.

 

GET should only be used for retrieval

POST for saving data

 

We won't even get into PUT and DELETE... save that lesson for later!

[CynePhoba]

So if I'm wanting formatted text sent to another page, then added to a database... (the same way that this site handles replies..) then $_POST is the best way to do it?

 

Cool. Thanks

[CynePhoba]

Managed to work it all out.

 

Thanks guys for all your help

 

-CynePhoba