Reputation: 476
<li> becomes &lt;li&gt; when adding to database
I have a script where i write a new project to my database. In this script i have a textarea element with name="omschrijving". In this textarea the user can specify < li> elements which i have styled with css.
The problem is, that when i enter: <li>hello</li> becomes: & lt;li>hello< ;/li> in my database.
I use a mediumtext type column to store the value of the textarea in.
Code of my form:
<form action="nieuwproject.php?action=toevoegen" method="post">
<fieldset class=""> <!-- Set class to "column-left" or "column-right" on fieldsets to divide the form into columns -->
<p>
<label>Naam</label>
<input class="text-input medium-input datepicker" type="text" id="medium-input" name="naam" />
</p>
<p>
<label>Categorie</label>
<select name="categorie" class="text-input medium-input">
<?php $oObj->getCategorieDropdown(); ?>
</select>
</p>
<p>
<label>Opdrachtgever</label>
<input class="text-input medium-input datepicker" type="text" id="medium-input" name="opdrachtgever" />
</p>
<p>
<label>Omschrijving</label>
<textarea class="text-input textarea wysiwyg" id="textarea" name="omschrijving" cols="79" rows="15"></textarea>
</p>
<p>
<label>Werkzaamheden</label>
<textarea class="text-input textarea wysiwyg" id="textarea" name="werkzaamheden" cols="79" rows="15"></textarea>
</p>
<p>
<input class="button" type="submit" value="Submit" />
</p>
</fieldset>
<div class="clear"></div><!-- End .clear -->
</form>
Code of my Insert script:
function addProject() {
$this->sQuery = "INSERT INTO projecten (naam,opdrachtgever,omschrijving,werkzaamheden,categorie)
VALUES ('" . $_POST['naam'] . "','" . $_POST['opdrachtgever'] . "','" . $_POST['omschrijving'] . "','" . $_POST['werkzaamheden'] . "','" . $_POST['categorie'] . "')";
$this->rResult = mysql_query($this->sQuery);
}
Does anyone know how to fix this? I am aware this script is candy to hackers, so theres no need to point that out.
With kind regards,
Michael
Upvotes: 0
Views: 2567
Answers (2)
Reputation: 40
http://php.net/manual/en/function.htmlentities.php http://www.php.net/manual/en/function.htmlspecialchars.php
MySQL won't sanitize your html like this, as far as I know, so something in your code is passing your $_POST['omschrijving'] through htmlentities() or htmlspecialchars(). Either of these functions would produce the out put that your are seeing in your database.
Edit:
Just saw your comment that it was your WYSIWYG editor. Good catch!
Upvotes: 0
Reputation: 157896
sure.
just find the place in your code which does htmlspecialchars/htmlentities on the data intended for database and get rid of it.
I can assure you that database never adds no symbols by it's own will.
Every symbol that is altered/added to your data is a result of some PHP code.
Note that your query is improperly formatted.
You have to format it, either by formatting every literal separately, or by using prepared statements.
It is irrelevant to your li> problem, but it's relevant to your application errors and vulnerability
Upvotes: 2
Related Questions
- list <ul> and <li> php mysql with id
- How do I properly put data from mysql inside <ul><li>?
- Trouble writing to html from mysql database
- Some HTML tags disappear when i use PHP
- my <ul> dissapears when generating <li> in PHP?
- HTML tags from Database not interpreted as HTML in browser
- HTML <p> tag ignores database line breaks
- \ being added when uploading a link to db via form
- PHP Problem - When inserting </ to the database it renders as a code