Alpha-Omega Posted April 12, 2008 Share Posted April 12, 2008 Ok. I am trying to achieve this:A personal notepad. Much like the one you can find in "my controls".The idea is to keep the pages php down to 1. I have this code: <?php// Notepad code$sql = mysql_query("SELECT notepad FROM users WHERE username = '$username'");$notepad = mysql_result($sql,0);if (isset($_REQUEST['notepad'])) {$note = $_REQUEST['notepad'];$sql = mysql_query("UPDATE users SET notepad = '$note' WHERE username = '$username'") or die ("Could not insert data because " . mysql_error()); }?> And the form just below is this: <form action="hoix.php" method="post"><textarea name="notepad" cols="75" rows="10" class="notepad"><?php print_r($notepad); ?></textarea><input name="update" type="submit" value="Update"> The page name is hoix.php for both codes. Php code is above the form code. My database has a notepad column, varchar(255), with a default set to "I would keep notes if i were you...", so when i first access the page, i see that text displayed just about fine. When i type anything to change it however, it gets inserted into the database, but it's delayed. What i mean is that, if i were for example to write "I am updating my notepad", it would still display "I would keep notes if i were you..." -even- though in the database the "I am updating my notepad" value is inserted. Then if i were to hit update again without changing anything, i would see in the next page "I am updating my notepad" but the value in the database has changed to "I would keep notes if i were you..." which was the text in the form at that time. Any ideas?EDIT: I've noticed that this code has some security flaws. When html is inserted in the notepad, i see it taking action in the page refreshed. How may i go about making the notepad secure, and that html code inserted does not do anything? EDIT2: hehe, i struggle for much time and when i decide to post it's when i find my solution. I changed the code order (first the isset, then the SELECT query) and it gets updated properly now. The matter of the HTML tags on the notepad affecting the page is still bugging me, though. Maybe javascript injections can be done too. PHP code isn't working, so at least i am secure in that. What to do to prevent the others, though? Link to comment Share on other sites More sharing options...
Synook Posted April 12, 2008 Share Posted April 12, 2008 PHP code isn't working, so at least i am secure in that. What to do to prevent the others, though? htmlspecialchars() the submitted text. That converts all HTML special characters to their entities. Link to comment Share on other sites More sharing options...
jlhaslip Posted April 13, 2008 Share Posted April 13, 2008 Why the Request method instead of GET or POST? Link to comment Share on other sites More sharing options...
Alpha-Omega Posted April 13, 2008 Author Share Posted April 13, 2008 It's on post now. I was just not sure that the entire script would work properly. i wanted to derive as many errors as possible in case it wouldn't work, and then focus about the proper using of the code. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.