4

I am trying to create mini CMS, where user can create new page and then that page become part of menu. Is it smart to insert full pages into database or there is better way to do so? Also I am having a bit of the problem with a tag when I am inserting. Code for now:

For inserting page into db:

public function strana_insert()
    {
        $this->admin_login_check();
        $clear = $this->str->clean_request();

        $char  = array('\n', '\n');
        $strana  = str_replace($char, '<br>', $clear['opis']);
        $kljucna_rec = str_replace( ' ', '_', mb_convert_case($clear['naziv'], MB_CASE_LOWER, "UTF-8") );
            $data = array(
            'naziv'           => $clear['naziv'],
            'strana'          => htmlspecialchars($strana, ENT_QUOTES , "UTF-8"),
            'kljucna_rec'     => $kljucna_rec,
            'datum_kreiranja' => date("Y-m-d H:i:s")
        );
        $this->str->save($data);
        $this->save_routes();
        redirect('admin');
    }

Code for clean_request function:

public function clean_request()
    {
        foreach($_POST as $key=>$value) :
            $clean[$key]=mysql_real_escape_string(trim($value));
        endforeach;

        return $clean;
    }

When I insert page with a tag I get following result:

<a href=\"http://www.example.com\" class=\"link_name\">www.example.com</a>

After updating page everything between *\ * is deleted. What is going on here?

Improve this question
2
  • what is your db field? varchar or text? Commented Feb 12, 2013 at 12:51
  • Don't use mysql_real_escape_string, use the framework's DB class with bindings (or Active Record). The backslashes could be the magic_quotes setting on your server; turn them off Commented Feb 12, 2013 at 12:53

4 Answers 4

Reset to default
3

You can use Codeigniter's active class to insert this OR use the following method.

before inserting HTML data to database do this :

$html_for_db = addslashes($html_content);

and insert $html_for_db to database.

While displaying this content,

echo stripcslashes($data_from_db);

stripcslashes() - Un-quote string quoted with addcslashes

More info : http://php.net/manual/en/function.addslashes.php

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Why! why using addslashes? If you want to escape a string, it's wrong, especially since the framework provides better ways to do that natively. If you want to escape html, addslashes makes no sense
@DamienPirsy, Thanks for your valuable information let me search and edit my answer.
3

it's because of escape function!! htmlspecialchar change your code to just a simple string!!

if you'd like to save as html you should save the code without escaping!

BTW, This isn't an smart way to create a static pages, You may like to create a layout and simply let users put content in it ;)

Improve this answer

5 Comments

This is the way I am doing it. Layout for the page is already set, but there is a need for few tweaks (class here and there, bold text and so on).
btw , codeigniter escape your code automatically for having safer query; resource : ellislab.com/codeigniter/user-guide/database/active_record.html
simply , do not escape the content .
could you give me a shot about your database field!!?
Type of the field is longtext.
1

If you want to store html in your DB I recommend using htmlpurifier to clean up your html code and also strip out unwanted html tags.

http://htmlpurifier.org/

There is also a helper which makes using htmlpurifier within CodeIgniter really easy: https://github.com/refringe/codeigniter-htmlpurifier

After you cleaned your input string with htmlpurifier you should use Codeigniters Active Record class to insert your data (http://ellislab.com/codeigniter/user-guide/database/active_record.html). This way the framework will do the escaping.

Improve this answer

Comments

0

You have to prevent two types of attacks here: SQL injection and cross-side scripting. You considered both and used htmlspecialchars() against XSS and mysql_real_escape_string() against SQL injection.

But you used them in the wrong order. You first have to use htmlspecialchars, because that's the thing you want to store/output. To put it savely into the database you have to wrap it into its mysql_real_escape_string-ized presentation before storing it or use parameter binding instead.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.