hi i been working on this script that will let members update there messages to my database everything is working but i came across what i think maybe a problem what i did was in the message text box i put this echo "<meta http-equiv=\"refresh\" content=\"0\">\n"; Code (markup): and submitted it to the database and when i went to view the message it keeps refreshing the page is there anyway i can stop code from being uploaded and only let text? here is my code. code: $checkbox = $_POST['checkbox']; $message = stripslashes($_POST['message']); $edit = stripslashes($_POST['edit']); if($edit){ for($i=0;$i<$count;$i++){ $edit_id = $checkbox[$i]; $sql="UPDATE message SET message='$message' WHERE id='$edit_id' And user='".$_SESSION[id]."'"; mysql_query($sql, $conn) or die('Error in query:<br>'. $sql .'<br>'.mysql_error($conn).'<br>Time of Error: '.date("l F j, Y, G:i:s T")); } if($result){ header("Location: index.php"); } } mysql_close(); PHP:
$checkbox = $_POST['checkbox']; $message = stripslashes($_POST['message']); $edit = stripslashes($_POST['edit']); if($edit){ for($i=0;$i<$count;$i++){ $edit_id = $checkbox[$i]; $sql="UPDATE message SET message='" . mysql_real_escape_string($message) . "' WHERE id='" . mysql_real_escape_string($edit_id) . "' And user='" . mysql_real_escape_string($_SESSION[id]) . "'"; mysql_query($sql, $conn) or die('Error in query:<br>'. $sql .'<br>'.mysql_error($conn).'<br>Time of Error: '.date("l F j, Y, G:i:s T")); } if($result){ header("Location: index.php"); } } mysql_close(); PHP: Have a look at the mysql_real_escape_string function. http://uk3.php.net/MYSQL_REAL_ESCAPE_STRING
strip_tags() is a great function for that. It will remove HTML and PHP tags from the string you provide. mysql_real_escape_string only escapes the string using backslashes before storing it in the database where strip_tags will remove HTML and PHP completely.
hi so for the strip_tags should i be doing it from this mysql_real_escape_string($message) To this strip_tags($message) and also from this $message = stripslashes($_POST['message']); to this $message = strip_tags(stripslashes($_POST['message'])); so my code now will look like the code i have posted below? new code with strip_tags: $checkbox = $_POST['checkbox']; $message = strip_tags(stripslashes($_POST['message'])); $edit = strip_tags(stripslashes($_POST['edit'])); if($edit){ for($i=0;$i<$count;$i++){ $edit_id = $checkbox[$i]; $sql="UPDATE message SET message='" . strip_tags($message) . "' WHERE id='" . strip_tags($edit_id) . "' And user='" . strip_tags($_SESSION[id]) . "'"; mysql_query($sql, $conn) or die('Error in query:<br>'. $sql .'<br>'.mysql_error($conn).'<br>Time of Error: '.date("l F j, Y, G:i:s T")); } if($result){ header("Location: index.php"); } } mysql_close(); PHP:
I would use mysql_real_escape_string(strip_tags()) on each post var to remove HTML and php tags, as well as help prevent SQL injection attacks. mysql_real_escape_string is mostly to help prevent SQL injection, although its not the best option. If you really want to be vigilant against SQL injections, I'd use prepared statements via the MySQLi extension.
Hi thanks for the reply kbduvall just one more question if its ok so for the post var it would be like this $message = mysql_real_escape_string(strip_tags($_POST['message'])); but what about the part for updating the database should i use the mysql_real_escape_string(strip_tags()) or keep it as this user='".$_SESSION[id]."'? the reason im asking is i have been reading a lot of post and i've seen that they been using it like option 1 below thanks.. OPTION 1 $sql="UPDATE message SET message='$message' WHERE id='$edit_id' And user='".$_SESSION[id]."'"; mysql_query($sql, $conn) or die('Error in query:<br>'. $sql .'<br>'.mysql_error($conn).'<br>Time of Error: '.date("l F j, Y, G:i:s T")); OR THIS: OPTION 2 $sql="UPDATE message SET message='" . mysql_real_escape_string(strip_tags($message)) . "' WHERE id='" . mysql_real_escape_string(strip_tags($edit_id)) . "' And user='" . mysql_real_escape_string(strip_tags($_SESSION[id])) . "'"; mysql_query($sql, $conn) or die('Error in query:<br>'. $sql .'<br>'.mysql_error($conn).'<br>Time of Error: '.date("l F j, Y, G:i:s T")); PHP:
I would do something like the following: $checkbox = $_POST['checkbox']; $message = mysql_real_escape_string(strip_tags($_POST['message'])); $user = mysql_real_escape_string($_SESSION['user']); if($_POST['edit'] !== ''){ foreach ($checkbox as $edit_id) $sql = "UPDATE message SET message = '{$message}' WHERE id = '" . mysql_real_escape_string($edit_id) . "' AND user = '{$user}'"; mysql_query($sql, $conn) or die('Error in query:<br>'. $sql .'<br>'.mysql_error($conn).'<br>Time of Error: '.date("l F j, Y, G:i:s T")); } if($result){ mysql_close(); header("Location: index.php"); } else { mysql_close(); } } PHP: You only need to loop over the edit_id checkboxes if you're expecting more than one edit_id. If you're not, looping just uses unnecessary resources. If you're only expecting one, something like this may be better: $edit_id = mysql_real_escape_string($_POST['checkbox'][0]); $message = mysql_real_escape_string(strip_tags($_POST['message'])); $user = mysql_real_escape_string($_SESSION['user']); if($_POST['edit'] !== ''){ $sql = "UPDATE message SET message = '{$message}' WHERE id = '{$edit_id}' AND user = '{$user}'"; mysql_query($sql, $conn) or die('Error in query:<br>'. $sql .'<br>'.mysql_error($conn).'<br>Time of Error: '.date("l F j, Y, G:i:s T")); if($result){ mysql_close(); header("Location: index.php"); } else { mysql_close(); } } PHP: