Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Posted by Andrew McCombs
Andrew McCombs
4,309 Points

htmlspecialchar(), htmlentities(), or mysqli_real_escape_string() is my issue somewhere is my code.

Okay, I need help with my code, its an issue with 1 of 3 things. htmlspeacialchars(), htmlentities(), or mysqli_real_escape_string. I have come to notice that the code that runs all this is working but the way that it is imputed in to the database and the way that it is queried from the database is the problem. I don't know what is causing this issue. I think i might be escape at the wrong time or there this a double escape somewhere. I have looked and looked, but lost please help

This code right here is the php code that is entering the typed information into the database 

<?php 
include '../../core/init.php'; 
members_only();
include '../../includes/overall/header.php'; 

if(isset($_POST["post_type"])) {
    $post_type = $_POST['post_type'];
    $post_body = $_POST['post_body'];
    $post_body = nl2br(htmlentities($post_body));
    $forum_section_id = (int)$_POST['fsID'];
    $forum_section_title = htmlentities($_POST['fsTitle']);
    $member_id = (int)$_POST['uid'];
    $post_author = $_POST['username'];
    $post_title = preg_replace('#[^A-Za-z0-9 ?!.,]#i', '',$_POST['post_title']);

    if ($post_type == "a") {
        if ($post_title == "") {
            echo 'Your Title is missing';
        }
        if (strlen($post_title) < 10) {
            echo 'The Title needs to be at least 10 characters';
        }
        if (strlen($post_body) < 2) {
            echo 'Your body needs to be at lease 2 characters';
        }
        $sql = "INSERT INTO forum_post (post_author, post_author_id, date_time, type, section_title, section_id, thread_title, post_body) VALUES ('$post_author', '$member_id', CURRENT_TIMESTAMP, 'a', '$forum_section_title', '$forum_section_id', '$post_title', '$post_body')";
        $query = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));
        $this_id = mysqli_insert_id($mysqli);
        $sql = "UPDATE forum_post SET otid = '$this_id' WHERE id = '$this_id'";
        $query = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));
        echo "post_success";
        exit();
    }
}
if (isset($_GET['id']) && isset($_GET['title'])) {
    $section_id = $_GET['id'];
    $section_title = $_GET['title'];
} else {
    header('Location: message.php?msg=Stop messing with the urls');
}
?>

well at this point the everything when into the database the right way, the nl2br put <br> tag, and everything looks good.

This is the information that was typed into the db

This is a test

Please Help me

The database shows this

This is a test<br >
<br >
Please Help me

Okay so far so good.

Here is the code that is pulling the information from the database to the website. I think this is where the issue is.

<?php 
include '../../core/init.php'; 
members_only();
include '../../includes/overall/header.php'; 

$myAgoObject = new convertToAgo;

//Get the Id from the URL
$thread_id = (int)$_GET['id'];

//Checking to make sure the thread id exists
$query = mysqli_query($mysqli, "SELECT * FROM forum_post WHERE id = '$thread_id' AND type = 'a' LIMIT 1");
$numRows = mysqli_num_rows($query);

if ($numRows < 1) {
    $errors[] = 'That Thread does not exist. Stop playing with the URL\'s';
    exit();
} else {
    $sql = "UPDATE forum_post SET view_count = view_count + 1 WHERE id = $thread_id";
    $upcount = mysqli_query($mysqli, $sql);
}

//Setting all varibles
while ($row = mysqli_fetch_array($query)) {
    $post_author = $row['post_author'];
    $post_author_id = $row['post_author_id'];
    $date_time = $row['date_time'];
    $date_time = strftime('%b %d, %Y', strtotime($date_time));
    $section_title = $row['section_title'];
    $section_id = $row['section_id'];
    $thread_title = $row['thread_title'];
    $post_body = mysqli_real_escape_string($mysqli, $row['post_body']);
}

// now query an responses out of the database
$all_responses = '';
$query = mysqli_query($mysqli, "SELECT * FROM `forum_post` WHERE `otid` = '$thread_id' AND `type` = 'b'");
$numRows = mysqli_num_rows($query);
if($numRows < 1) {
    $all_responses = '<div class="alert alert-info text-center" role="alert">No one has respond to this post! You can be the first to post.<br></div>';
}else {
    while ($row = mysqli_fetch_array($query)) {
        $reply_author = $row['post_author'];
        $reply_author_id = $row['post_author_id'];
        $date_n_time = $row['date_time'];
        $converted_time = ($myAgoObject -> convert_datetime($date_n_time));
        $whenReply = ($myAgoObject -> makeAgo($converted_time));
        $reply_body = mysqli_real_escape_string($mysqli, $row['post_body']);
        $avaquery = mysqli_query($mysqli, "SELECT * FROM users WHERE username = '$reply_author' AND activated = '1'");
        $userRow = mysqli_fetch_array($avaquery);
        $userLevel = $userRow["userlevel"];
        $signup = $userRow["signup"];
        $signup = strftime("%b %d, %Y", strtotime($signup));
        $lastLogin = $userRow["lastlogin"];
        $lastLogin = strftime("%b %d, %Y", strtotime($lastLogin));
        $avatar = $userRow["avatar"];
        $country = $userRow["country"];
        $post_author_avatar = '<img src="/user/' . $reply_author . '/' . $avatar . '" alt="' . $reply_author . '" class="user_pic">';
        if($avatar == NULL){
            $post_author_avatar = '<img src="/img/avatardefault.gif" alt="' . $reply_author . '" class="user_pic">';
        }
        $all_responses .= '<tr>';
        $all_responses .=   '<td class="td-user">';
        $all_responses .=       '<div class="forum-user-info">';
        $all_responses .=           '<a href="/' . $reply_author . '">' . $reply_author . '</a><br>' . $post_author_avatar . '<br>';
        $all_responses .=           'Access: ' . $userLevel . '<br>';
        $all_responses .=           'Joined: ' . $signup . '<br>';
        $all_responses .=           'Last Logged: ' . $lastLogin . '<br>';
        $all_responses .=       '</div>';
        $all_responses .=   '</td>';
        $all_responses .=   '<td class="td-reply">';
        $all_responses .=       '<div class="forum-reply">';
        $all_responses .=           $reply_body;
        $all_responses .=       '</div>';
        $all_responses .=       '<div class="forum-posted">';
        $all_responses .=           'Posted: ' . $whenReply;
        $all_responses .=       '</div>';
        $all_responses .=       '<div class="forum-reply-control clearfix">';
        $all_responses .=           'Like &bull; &nbsp;';
        $all_responses .=           'Edit &bull; &nbsp;';
        $all_responses .=           'Delete';
        $all_responses .=       '</div>';
        $all_responses .=   '</td>';
        $all_responses .= '</tr>';
    }
}

$editPostbtn = '<button class="btn btn-primary btn-lg" data-toggle="modal" data-target="#editPost">Edit</button>';
?>

This is the information that is being echoed to the screen

This is a test
/n
/nPlease Help me

1 Answer

Jeff Busch
Jeff Busch
19,287 Points
Jeff Busch
Jeff Busch
19,287 Points

Hi Andrew,

I think you just need to get rid of the mysqli_real_escape_string on the output.

Jeff