[RESOLVED] Problems posting content

always_confused

Hey everyone,

Im trying to use tinymce in a cms (homemade- php) to edit a pages content, However i can only seem to post 2 or 3 lines of content to the database, if i try and post anymore than this then it just doesnt update at all.

I know this isnt the best way to make a cms but its my first attempt

Anybody got any ideas

Cheers

dagon

no one could possibly help with out seeing the appropriate code.

always_confused

i just realised that sorry

Form code

 <?php
//import the database connection file
include("connect.php");
// Send the preloaded content to the function.
$request ='faqs';
$query = mysql_query( "SELECT * FROM contents WHERE page = '".$request."'");
//fetch the results of the $query and store them in $row
$row = mysql_fetch_array($query);

?>
<form name="update" action="updatefaq.php" method="post">
  <p>&nbsp;    </p>

<textarea name="elm1"><?php echo $row['content'];?></textarea>

  </script>
    <input name="submit" type="submit" value="Submit" />

</form>

The update code with sql error checking (unsure if its in the right place)

//import the database connection file
include("connect.php");

//The UPDATE query used ... this is used to CHANGE an existing record to the users table
$request ='faqs';

$sql= mysql_query("UPDATE contents SET content = '".$_POST['elm1']."' WHERE page =
'$request'"); 
if (!$sql)
  {
  die(mysql_error());
  }

echo "Thank you! Information updated.";
mysql_close($dbconnection);
?>

with the error checking in the second part it comes up with

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'nonexistentdb' 1146: Table 'kossu.nonexistenttable' doesn't exist Se' at line 1

without the error checking it displays no error and continues to success page

dagon

at a minimum mysql_real_escape_string

always_confused

from my understanding this more of a security measure, would this actually solve the issue,

sorry for my ignorance im not very clued up on php or sql

dagon

are you saying it did not solve the problem when you tried it? Or that you just didn't both to try it?

bradgrafelman

User-supplied data should never be placed directly into a SQL query, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors.

So yes, properly escaping all user-supplied input is primarily a security concern, but no, it's not only a security concern.

always_confused

i know its not secure - but this is for admin access only my main concern is getting it working , then fixing security

always_confused

dagon;10955650 wrote:
are you saying it did not solve the problem when you tried it? Or that you just didn't both to try it?

yes i tried it but it didnt make a difference

bradgrafelman

always_confused;10955661 wrote:
my main concern is getting it working , then fixing security

As I said above, properly escaping all user-supplied data isn't just a security concern - it prevents errors as well.

Can you post a new copy of your code so we can see exactly how you modified it?

always_confused

Hey guys

got it fixed now, changed the update code to include:

	function filter($data) {
	$data = trim(htmlentities(strip_tags($data)));

if (get_magic_quotes_gpc())
	$data = stripslashes($data);

$data = mysql_real_escape_string($data);

return $data;
}
foreach($_POST as $key => $value) {
	$mydata[$key] = filter($value);
}

thanks for the advise