user data text formating textarea

Forum Moderators: coopster

Message Too Old, No Replies

user data text formating textarea

NeilsPHP

9:47 pm on Sep 25, 2008 (gmt 0)

I am wondering how to use php to make a 'textarea' type of user data entry box that the user will have options to format text..just like word.(color text..hyperlink..font..copy..paste etc)
I want user to have flexibility to format their own data before submitting.
thanks

cameraman

10:04 pm on Sep 25, 2008 (gmt 0)

That's a job for javascript. There are several already written out there, tinyMCE and fckeditor to name a couple.

dreamcatcher

6:14 am on Sep 26, 2008 (gmt 0)

Google for 'Rich Text Editor'.

NeilsPHP

5:31 pm on Sep 27, 2008 (gmt 0)

thanks for reply.I tried FCKeditor and does the job.But is it safe to use these editors for site users or developers? FCKeditor returns plain text when i try to sanitize the post data using htmlspecialchars and stripslashes.Any other ways to sanitize data to avoid XSS attacks etc using these editors ?

cameraman

6:23 pm on Sep 27, 2008 (gmt 0)

You can undo the htmlspecialchars with htmlspecialchars_decode when you want to display it. You could also just base64_encode [us3.php.net] it for storage and decode it to display. That will increase the storage requirements, but it's definitely database-safe.

NeilsPHP

5:38 am on Oct 5, 2008 (gmt 0)

really appreciate it.thanks

NeilsPHP

6:05 am on Oct 5, 2008 (gmt 0)

oh..just found out that both htmlspecialchars_decode and base64 encode/decoding works,but I still loose the formatting in the display which I want using fckeditor..anything I am doing wrong ?

cameraman

5:42 pm on Oct 5, 2008 (gmt 0)

Use get_magic_quotes_gpc() [us.php.net] in script to see if php is escaping the content before you get ahold of it. If so, either turn it off if you can, or use stripslashes() [us.php.net] on the content.

NeilsPHP

3:43 pm on Oct 8, 2008 (gmt 0)

I am sorry for getting little confused..do i add stripslashes before entering data in mysql or before using it out of db ?
(tried both but no satisfactory results)
I am using this funtion before putting data into mysql using POST.
But when I am trying to recover html formatted data,its returning plain text.

function cleaner($data)
{

$data = trim($data);
$data = stripslashes($data);
$data = strip_tags($data);
$data = rtrim($data);
$data = ltrim($data);
$data = htmlspecialchars($data);
$data = mysql_real_escape_string($data);
return $data;
}

any suggestions ?

dreamcatcher

5:30 pm on Oct 8, 2008 (gmt 0)

Yes, before as you are doing. But you only need to use it if magic quotes are on:

$data = (get_magic_quotes_gpc() ? stripslashes($data) : $data);

NeilsPHP

2:16 am on Oct 9, 2008 (gmt 0)

I tried that way,but still getting plain text.then I started to comment out each instruction one by one,and found out that nobody BUT strip_tags is the one that is causing it.In other words,I can leave everything else the way it is and comment out as below and i get html data as entered in the form using fck editor.

function cleaner($data)
{

$data = trim($data);
$data = stripslashes($data);
$data = (get_magic_quotes_gpc() ? stripslashes($data) : $data);
// $data = strip_tags($data);
$data = rtrim($data);
$data = ltrim($data);
$data = htmlspecialchars($data);
$data = mysql_real_escape_string($data);
return $data;
}

But my questions,can I LEAVE it like this ? any security holes ? any preventive measures I can take ?