Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Programming
 str_replace not working escaping "

Author  Topic 

Inky1231
Starting Member

1 Post
Posted - 2014-05-21 : 15:02:37
Not exactly a newbie but not an expert either.
I need some assistance with this I know it has to do with escaping the quotes but nothing I have tried works!
I am using RTE with a php based form to insert an image (url) into the form field. When the image is "inserted" it shows but once the form gets submitted it does not show the image on the page. When I go back in and look at the code that is pulled from the database I see this 

<img src="& quot;http://www.dacc.edu/stunews/images/TopPrize1.jpg& quot;" height="& quot;814& quot;" width="& quot;610& quot;">


every subsequent submission adds more of the & quot; but does not remove the "

here is the code... any help would be appreciated. I am racking my brains on this I have tried many different str_replace and preg_replace but nothing seems to work.

  <?php

    $phpself = $_SERVER['PHP_SELF'];

    ?>

    <html>
    <head>

    </head>
    <body>
    <?php

    include ("../../sqllogin.php");

    $id = "";
    $cmd = "";

    if ($_GET) {

	if(isset($_GET['id'])) {
		$id = $_GET['id'];
	}
	
	if(isset($_GET['cmd']))
	{
		$cmd = $_GET['cmd'];
	}
    }




    # If there is no release ID specified, show the list of releases.
    if ($id == "") {
	main("");
        exit;
    }

    # We have a release ID.
    # If there is no command, assume edit.
    if ($cmd == "") {

	if ($id > 0) {

		$sqlquery = "SELECT * FROM releases WHERE id = '$id'";
		$result = mssql_query($sqlquery);
		$number = mssql_num_rows($result);

		if ($number == 0) {
			print "<html><body>";
			print "No release with the ID $id exists.";
			print "</body></html>";
			exit;
		}

		$i = 0;
		$title = mssql_result($result,$i,"title");
		$date = mssql_result($result,$i,"date");
		$text = mssql_result($result,$i,"text");

	}




	if ($id == 0) {
		$date = date("Y-m-d");
		$title = "";
		$text = "";
	}

	print "<html><head><title>DACC news release - $id</title>";

	print "<script language=\"JavaScript\" type=\"text/javascript\" src=\"/rte/richtext.js\"></script>";

	print "</head><body>\n";

	?>
                
	<script language="JavaScript" type="text/javascript">
	<!--    
	initRTE("/rte/images/", "/rte/", "");
	//-->   

	function submitForm() {
	   updateRTEs();
	   document.edit-release.submit();
	   return false;
	}

	</script>


<?php
$date = date("Y-m-d");

print "<a href=\"$phpself\">Back to the news release list</a>";

print "<form name=\"edit-release\" method=\"post\" action=\"$phpself?id=$id&cmd=write\" onSubmit=\"return submitForm()\">\n";
?>


<script language="JavaScript" type="text/javascript">

</script>
<?PHP
print "<B>Title:</B><BR>";
print "<INPUT TYPE=\"text\" NAME=\"title\" SIZE=50 MAXLENGTH=50 VALUE=\"$title\"><p>\n";

print "<B>Date:</B><BR>";
print "<INPUT TYPE=\"text\" NAME=\"date\" SIZE=10 MAXLENGTH=10 VALUE=\"$date\"><p>\n";



print "<B>Text:</B><BR>";
$text = RTESafe("$text");
//$title = RTESafe("$title");
?>

<script language="JavaScript" type="text/javascript">
<!--
//Usage: writeRichText(fieldname, html, width, height, buttons)
writeRichText('text', '<?php print $text; ?>', 720, 200, true, false);
//-->
</script>

<?php

print "<p><input type=submit value=\"Update\" name=\"submit\">\n";

print "</form>\n";

print "<p><a href=./>Cancel changes to this release</a><p>";

print "<a href=\"javascript://\" onclick=\"confirm_delete($id); return false\">Delete this release</a><p>";

print "</body></html>";

exit;

}

function tohtml ($x) {

$x = preg_replace("/'/","#146;",$x);
$x = preg_replace("/\"/","#34;",$x);
return $x;
}




# Write this release to the database.
if ($cmd == "write") {

$PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER'];

//Reference tohtml function to remove wrong characters.
$title = tohtml($_POST['title']);
$text = tohtml($_POST['text']);
//$title = $_POST['title'];
//$text = $_POST['text'];
$date = $_POST['date'];

# Remove XML tags (for compatility with older browsers).
# $text = preg_replace("/<?xml.*\/>/i"," ",$text);

# If the ID number is 0, then this is a new entry to be inserted.
# Otherwise, it's an update for an existing entry.
if ($id > 0) {
$query = "UPDATE [releases] SET title='$title',text='$text',date='$date', timestamp=getdate() WHERE id='$id'";
} else {
//Updated incorrect SQL insert statement.
//$query = "INSERT INTO releases SET title='$title',text='$text',date='$date'";
$query = "INSERT INTO [releases] (title, text, date, timestamp) VALUES ('$title','$text','$date', getdate())";
}

# For debugging:
//print "Query: <xmp>$query</xmp><p>";

$result = mssql_query($query);

if ($result == 1) {
main("News release $id has been updated.");
} else {
main("Record was not updated ($result).\n");
}

}

# Delete an entry.
if ($cmd == "delete") {

$PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER'];

$query = "DELETE FROM [releases] WHERE id='$id'";
$result = mssql_query($query);

# For debugging:
//print "Query: <xmp>$query</xmp><p>";

if ($result == 1) {
main("News release $id has been deleted.");
} else {
main("Record was not deleted ($result).\n");
}

}

function RTESafe($strText) {
//returns safe code for preloading in the RTE
$tmpString = trim($strText);

//convert all types of single quotes
$tmpString = str_replace(chr(145), chr(39), $tmpString);
$tmpString = str_replace(chr(146), chr(39), $tmpString);
$tmpString = str_replace("/'/", "#39;", $tmpString);
$tmpString = str_replace("/'/", "#39;", $tmpString);
//strip apos-ES
$tmpString = preg_replace("/'/","#146;",$tmpString);

//convert all types of double quotes
$tmpString = str_replace(chr(147), chr(39), $tmpString);
$tmpString = str_replace(chr(148), chr(39), $tmpString);




$tmpString = str_replace(chr(10), "", $tmpString);
$tmpString = str_replace(chr(13), "", $tmpString);

return $tmpString;
}

function main($message) {

$phpself = $_SERVER['PHP_SELF'];

//$sqlquery = "SELECT id,title,date,DATE_FORMAT(timestamp, '%Y/%m/%d %H:%i:%S') as modified FROM releases ORDER BY id DESC";
//$sqlquery = "SELECT id,title,date,CONVERT(VARCHAR(10), timestamp, 101) AS modified FROM releases ORDER BY id DESC";
//$sqlquery = "SELECT id,title,date,modified = CONVERT(VARCHAR(10), timestamp, 101) FROM releases ORDER BY id DESC";
$sqlquery = "SELECT id,title,date,modified = timestamp FROM releases ORDER BY id DESC";

$result = mssql_query($sqlquery);
$number = mssql_num_rows($result);

print "<b>News releases</b><p>\n";

print "<font color=red>$message</font><p>";

if ($number == 0) {
print "<html><body>";
print "No news releases found.";
print "</body></html>";
exit;
}

print "Select a release title to edit that release (with an option to delete it).<p>\n";
print "<a href=$phpself?id=0>Create a new release</a><p>";

print "<form>";

print "<table border=1><tr><th>ID</th><th>Title</th><th>Date</th><th>Last modified</th> </tr>\n";

$i = 0;
while ($number > $i) {

$id = mssql_result($result,$i,"id");
$title = mssql_result($result,$i,"title");
if ($title == "") {
$title = "(untitled)";
}
$date = mssql_result($result,$i,"date");
$modified = mssql_result($result,$i,"modified");


$date = strtotime($date);
$date = date("Y-m-d", $date);


print "<tr>";
print "<td>$id</td>";
print "<td><a href=$phpself?id=$id>$title</a></td>";
print "<td>$date</td>";
print "<td>$modified</td>\n";
print "</tr>\n";
$i++;
}

print "</table>";
print "</form>";
print "</body>";
print "</html>";

}

?>
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site