Clever Geek Handbook

Codeigniter 2.1 - insert HTML page into database

I am trying to create a mini CMS where the user can create a new page and then that page becomes part of the menu. Does it know how to insert full pages into the database or is there a better way to do it? Also, I am having a little problem with the tag when I insert. The code at the moment:

Inserting a page into db:

public function strana_insert()
    {
        $this->admin_login_check();
        $clear = $this->str->clean_request();

        $char  = array('\n', '\n');
        $strana  = str_replace($char, '<br>', $clear['opis']);
        $kljucna_rec = str_replace( ' ', '_', mb_convert_case($clear['naziv'], MB_CASE_LOWER, "UTF-8") );
            $data = array(
            'naziv'           => $clear['naziv'],
            'strana'          => htmlspecialchars($strana, ENT_QUOTES , "UTF-8"),
            'kljucna_rec'     => $kljucna_rec,
            'datum_kreiranja' => date("Y-m-d H:i:s")
        );
        $this->str->save($data);
        $this->save_routes();
        redirect('admin');
    }

The code for the clean_request function:

public function clean_request()
    {
        foreach($_POST as $key=>$value) :
            $clean[$key]=mysql_real_escape_string(trim($value));
        endforeach;

        return $clean;
    }

When I insert a page with a tag , I get the following result:

<a href=\"http://www.example.com\" class=\"link_name\">www.example.com</a>

After refreshing the page, everything between * \ * is removed. What's going on here?

+3


source to share


4 answers


You can use the active Codeigniter class to insert this OR use the following method.

before inserting HTML data into the database do the following:

$html_for_db = addslashes($html_content);

and insert $html_for_db

into the database.



When displaying this content

echo stripcslashes($data_from_db);

stripcslashes () - unquoted string quoted using addcslashes

More information: http://php.net/manual/en/function.addslashes.php

+2


source


this is because of the escape function !! htmlspecialchar, change your code to plain!

if you want to save as html you must save the code without escaping!



BTW. This is not a smart way to create static pages. You might want to create a layout and just let users insert content into it;)

+2


source


If you want to store html in your DB, I recommend using htmlpurifier to clean up your html code and also remove unnecessary html tags.

http://htmlpurifier.org/

There is also a helper that makes it easy to use the htmlpurifier in CodeIgniter: https://github.com/refringe/codeigniter-htmlpurifier

After you have cleared the input line with htmlpurifier, you must use the Active Record class for Codeigniters to insert your data ( http://ellislab.com/codeigniter/user-guide/database/active_record.html ). So the structure will do the escaping.

+1


source


Here you need to prevent two types of attacks: SQL injection and multi-party scripting. You have considered both options and used htmlspecialchars()

for XSS and mysql_real_escape_string()

SQL injection.

But you used them in the wrong order. You need to use htmlspecialchars first, because that's what you want to save / output. To add it to the database, you must transfer it to your mysql_real_escape_string-ized presentation before you save it, or use parameter binding.

0


source






More articles:


All Articles