Inserting html code in a mysql table

2020-02-06 06:00发布

站内文章 / PHP

26 0

做自己的国王

女 | 书童

私信

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试):

问题:

I use joomla to manage a website... and i am developing a stand alone php application that will insert and modify data into the tables that are used by joomla to store the html of webpages that it dynamically creates...

The way it works is i use a joomla component to create content and the html code of these articles are stored in a field in a table, say content_table, by joomla.. This html code is later retrieved to construct a part of a webpage.

I want to do the same with my standalone app... i.e add the html code to the filed in content_table which can later be retrieved by joomla to construct the part of the page.

The problem is : The html code,naturally, of course, has a lot of single and double quotes and this pose a problem while inserting into the database.. I've tried mysql_escape_string() and still get syntax errors..

I can use addslashes() but since joomla itself retrieves the code later, it is not possible to use stripslashes() while retrieving it later....

Is there anyway i can add the html code the table's field...

Thanks for your suggestions...!!

Edit : After adding mysql_escape_string() i get

Error adding details. Reason : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'fulltext = '\n

This is my query :

UPDATE $jos_content
SET    introtext = '$intro_code',
       fulltext  = '$article_code'
WHERE  id = '$article_id'";

The input string is as follows :

 $article_code = '<hr id="system-readmore" />
<center>{loadposition user50}</center>
<p style="text-align: center;">
<span style="color: rgb(0, 255, 255);">
<i>
<b>
<span style="font-size: x-large;">
<span style="font-family: Arial;">
&nbsp;
</span>
</span>
</b>
</i>
</span>
<span style="color: rgb(0, 255, 255);">
<i>
<b>
<span style="font-size: x-large;">
<span style="font-family: Arial;">
<?php echo $title; ?>
</span>
</span>
</b>
</i>
</span>
<span style="color: rgb(0, 255, 255);">
<i>
<b>
<span style="font-size: x-large;">
<span style="font-family: Arial;">
<br />
</span>
</span>
</b>
</i>
</span>
</p>
<p style="text-align: center;">
<img height="269" width="515" border="3" 
title="<?php echo $title; ?>" 
alt=" <?php echo $title; ?>"
src="<?php echo $article_image;?>"
</p> 
<p>
<span style="font-size: small;">
<span style="font-family: Arial;">
<span style="color: rgb(153, 204, 255);">
<p style="margin-top: 2px; margin-bottom: 2px; margin-left: 120px; text-align: left;">
<i> 
<span style="color: rgb(0, 255, 0);"> 
<strong>
Cast&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :
</strong>
<b>
</b>
</span>
</i>
<span style="color: rgb(0, 255, 255);">
<b>
<?php echo $cast; ?>
</b>
</span>
<i>
<span style="color: rgb(0, 255, 255);">
<b>
<br />
</b>
</span>
</i>
<span style="font-family: Arial;">
<span style="font-size: small;">
<span style="color: rgb(153, 204, 255);">
</span>
</span>
<span style="color: rgb(0, 255, 0);">
<i>
<strong>
Direction&nbsp;&nbsp;&nbsp;
</strong>
</i>
<strong>
:
</strong>
<b>
</b>
</span>
<span style="color: rgb(0, 255, 255);">
<b>
<span class="href"
id="ctl00_ContentPlaceHolderMainContent_FormView1_Director">
<?php echo $director; ?>
</span>
</b>
</span>
</span>
<span style="font-family: Arial;">
<br />
<span style="color: rgb(0, 255, 0);">
<i>
<strong>
Production
</strong>
</i>
<strong>
:
</strong>
<b>
</b>
</span>
<span style="color: rgb(0, 255, 255);">
<b>
<?php echo $direction; ?>
</b>
</span>
<span style="color: rgb(255, 102, 0);">
<i>
<b>
<br />
</b>
</i>
</span>
<span style="font-family: Arial;">
<span style="color: rgb(0, 255, 0);">
<span style="font-family: Arial;">
<span style="font-size: small;">
<i>
<strong>
Music&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</strong>
</i>
<strong>
:
</strong>
</span>
</span>
</span>
</span>
<span style="color: rgb(0, 255, 255);">
<b>
<i>
</i>
<?php echo $music; ?>
<i>
<br />
<span style="color: rgb(0, 255, 0);">
Lyrics&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>
</i>
<span style="color: rgb(0, 255, 0);">
:
</span>
<i>
</i>
</b>
</span>
<span style="color: rgb(0, 255, 255);">
<b>
<?php echo $lyrics; ?>
</b>
</span>
<span style="color: rgb(0, 255, 255);">
<b>
<i>
<br />
</i>
<span style="color: rgb(0, 255, 0);">
<i>
Year&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</i>
:
</span>
<?php echo $year; ?>
</b>
</span>
</span>
<i>
<span style="color: rgb(0, 255, 255);">
<b>
</b>
</span>
</i>
</p>
</span>
</span>
</span>
</p>
<p>
<left>
{loadposition user14}
&nbsp;
</left>
</p>
<div style="text-align: center;">
<p>
<i>
<span style="font-family: Arial;">
<b>
<span style="font-size: medium;">
<span style="color: rgb(51, 255, 255);">
Click
<img src="images/stories/Play button1.png"
alt="alt" />
in the Playlist to Download Songs
</span>
</span>
</b>
</span>
</i>
</p>
</div>
<table border="0" align="center">
<tbody>
<tr>
<td>
<h4 style="text-align: center;">
<i>
<span style="color: rgb(102, 255, 0);">
<b>
<b>
&nbsp;High Bandwidth Users
</b>
</b>
</span>
</i>
<i>
<span style="color: rgb(102, 255, 0);">
<b>
<b>
&nbsp;
</b>
</b>
</span>
</i>
<span style="color: rgb(102, 255, 0);">
<b>
</b>
</span>
</h4>
</td>
<td>
<h4 style="text-align: center;">
<i>
<span style="color: rgb(102, 255, 0);">
<b>
<b>
&nbsp;Low Bandwidth Users
</b>
</b>
</span>
</i>
<span style="color: rgb(102, 255, 0);">
<b>
<br />
</b>
</span>
</h4>
</td>
</tr>
<tr>
<td>
{auto width=&quot;235&quot; displayheight=&quot;0&quot; height=&quot;225&quot;} <?php echo $hqList; ?> {/auto}
</td>
<td>
{auto width=&quot;235&quot; displayheight=&quot;0&quot; height=&quot;225&quot;}<?php echo $lqList; ?>{/auto}
</td>
</tr>
</tbody>
</table>
<center>
{loadposition user50}
</center>';

回答1:

I prefer to convert code to ordinary string before inserting to database. I think, it's most safe scenario. Consider using this code:

$article_code = base64_encode($article_code);
/* insert to database */

So, when you want to use that code back, just decode using base64_decode. I suggest you to use 'text' data type for saving $article_code rather than 'varchar'.

回答2:

You should not need slashes. The only thing that will cause a problem during normal inserts is the quotes, and mysql_escape_string() should handle that excepting charset issues. Try mysql_real_escape_string() as well.

Also, note that storing raw user-supplied HTML in the database can lead to security issues. Consider using something like bbcode or markdown instead.

回答3:

This is the best way i found addslashes()

$article_code = addslashes($article_code);

UPDATE $jos_content
SET    introtext = '$intro_code',
       fulltext  = '$article_code'
WHERE  id = '$article_id'";

回答4:

Well..Debugged it.. Turns out the problem was after all not with the escaping function...

Check out the query :

UPDATE $jos_content
SET    introtext = '$intro_code',
       fulltext  = '$article_code'
WHERE  id = '$article_id'";

You can see the 'fulltext' field... Apparently, the word "fulltext" is a mysql keyword... To be precise,it's a field type like TEXT, INT, MEDIUMTEXT etc...

I changed the query to this

"UPDATE $jos_content
SET    $jos_content.introtext = '$intro_code',
       $jos_content.fulltext  = '$article_code'
WHERE  $jos_content.id = '$article_id'";

And voila...!!!!

回答5:

Just to confirm, your query looks like this right:

$query = '
    UPDATE "'.mysql_real_escape_string ($jos_content).'"
    SET    introtext = "'.mysql_real_escape_string ($intro_code).'",
           fulltext  = "'.mysql_real_escape_string ($article_code).'"
    WHERE  id = "'.mysql_real_escape_string ($article_id).'"
";

回答6:

fulltext is a mysql predefine keyword. Please use Acute(`) or single quote(')

Here is code -

UPDATE $jos_content
SET    `introtext` = '$intro_code',
       `fulltext`  = '$article_code'
WHERE  `id` = '$article_id'";

回答7:

I had the same problem, I fixed it with regular expressions. You can use something like this: $target = '{~p class={{q}}important-text{{q}}~}Some text here {~/p~}';

and then use the preg_replace() function:

class handle  
{ 
  public static function makehtml($target)   
  {
    $output = preg_replace("#{~#", "<", $target);
    $output = preg_replace("#~}#", ">", $target);
    $output = preg_replace("#{{q}}#", '"', $target);  
    return $output;
 }  
}  
echo handle::makehtml($target);
// output : <p class="important-text">Some text here</p>

回答8:

if you are worried about space and are using the base 64 encode method posted here you could use the gzdeflate command in php to cut it down then encode it. Here is a little test script on some generated sample characters. Obviously there are different compression methods to look into if you are concerned with size but this would mean you could put it into mysql minimising the size on the db. You could then read it back with gzinflate(base64_decode( ... ));

<?php
//generate sample chars for the example
function generateRandomString($length = 10000) {
    $characters = '01234"56/789abcdefghij:klmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, strlen($characters) - 1)];
    }
    return $randomString;
}
//

$string =generateRandomString();
echo 'string size:'.strlen($string);
$b64html = base64_encode($string);
echo '<br/>'.'Original base64 size:'.strlen($b64html);
$compressed = gzdeflate($string,  9);
echo '<br/>'.'compressed size:'.strlen($compressed);
echo '<br/>'.'base64 compressed size:'.strlen(base64_encode($compressed));
 /* insert into db the base64_encode($compressed); */
?>

回答9:

Calling the mysql_escape_string() function passing in the variable that holds the html text like:

mysql_escape_string($_POST["text"]);

will ensure that the special characters like quotes in the text will not cause a php error and the database will be updated successfully.

回答10:

insert html code into database

$title = $_POST['title'];
$code = '<h1>hello</h1></p>this html tage</p>';
$htmlcode = addslashes($code);

 $query = "INSERT INTO `template` (`title`,`code`) VALUES ('".$title."','".$htmlcode."');"; 
mysqli_query($con,$query);

after insert data into database show data in listing page

$result = mysqli_query($con,'SELECT * FROM template');                                  
while($row = mysqli_fetch_assoc($result)) {

 echo htmlentities($row['code']);

}
htmlentities($row['code']); //here your row name;