html notepad (help)

**Dormilich** · Dec 2 '09, 11:13 AM

I may look into the problem, if I knew what the update function does.

**sHyuAn** · Dec 2 '09, 11:19 AM

The below is the part for notepad that i inserted in php codes. Thanks for your kind help. :)

Code:

<?php
if(isset($_POST['pn_update']))
{
$db->query("UPDATE users SET user_notepad='{$_POST['pn_update']}' WHERE userid=$userid");
$ir['user_notepad']=stripslashes($_POST['pn_update']);
print "<br /><b>Memorandum Updated!</b>";
}
print "<fieldset style='border: 1px dashed #606060; width: 450px;'>
<legend align='center'><b>My Memorandum</b></legend><br /><form action='home.php' method='post'>
<textarea rows='15' cols='50' name='pn_update'>".htmlspecialchars($ir['user_notepad'])."</textarea><br />
<input type='submit' value='Update!' /></form></fieldset>";
?>

**Dormilich** · Dec 2 '09, 11:55 AM

on line 5 you strip the text of slashes (including the slashes for "\r\n" which then become "rn"). and think about your DB security, currently it’s unprotected against SQL Injection.

PS. am I right in the assumption that you use the Latin-1 charset for your website?

**sHyuAn** · Dec 2 '09, 12:09 PM

But if the stripslashes is not there, it will cause the same problem with those slashes like "Have a nice day\r\nHave a nice day". I am very new to web development. Learning through online. Hope to learn more by asking questions. And would you mind to brief me or gimme an example on how to secure the DB?

And, yeah you are right.. Latin1 is used.

**drhowarddrfine** · Dec 2 '09, 01:40 PM

In HTML, \r\n doesn't mean anything. Line breaks are generated using the html tag <br> instead.

**sHyuAn** · Dec 2 '09, 02:15 PM

To: Dormilich,

Can I use the below way to prevent injections?

Code:

$MailUser = sprintf("INSERT INTO mail VALUES ('', 0, 0, %u, unix_timestamp(), 'Forum Subscription', 'Please view your forum subscriptions, a new post has been made!')", $mail['userid']);

$db->query($MailUser);

**Markus** · Dec 2 '09, 02:32 PM

Originally posted by drhowarddrfine

In HTML, \r\n doesn't mean anything. Line breaks are generated using the html tag <br> instead.

However, in a textarea element these characters do represent a carriage-return and line-feed, no?

**Markus** · Dec 2 '09, 02:33 PM

Originally posted by sHyuAn

To: Dormilich,

Can I use the below way to prevent injections?

Code:

$MailUser = sprintf("INSERT INTO mail VALUES ('', 0, 0, %u, unix_timestamp(), 'Forum Subscription', 'Please view your forum subscriptions, a new post has been made!')", $mail['userid']);

$db->query($MailUser);

No. See this entry in the PHP.net documentation for SQL injection.

**sHyuAn** · Dec 2 '09, 02:56 PM

Thanks markus for pointing me to the site.. :)

**drhowarddrfine** · Dec 2 '09, 03:35 PM

I'm probably not paying attention cause I didn't know this was in a textarea so here's the docs on that.

html notepad (help)

html notepad (help)

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment