Hello.

The essence of the question: in the admin engine you need to make a field, <textarea name="js_field"> in which the administrator will add an arbitrary js-code (for example, the code of the Yandex metric or slider, or etc.). This code should be added to the table of the mySQL database, in order to be displayed as a php variable in the template template.

The problem is that when I write free text in this field, or html, the addition is normal. But when I write js-code there, nothing is added.

Here is an example of the code I'm trying to insert

 $('#myCarousel').carousel({ interval: 40000 }); $('.carousel .item').each(function() { var next = $(this).next(); if (!next.length) { next = $(this).siblings(':first'); } next.children(':first-child').clone().appendTo($(this)); if (next.next().length > 0) { next.next().children(':first-child').clone().appendTo($(this)).addClass('rightest'); } else { $(this).siblings(':first').children(':first-child').clone().appendTo($(this)); } });

What is the problem? Are the characters invalid here, or what? Thank.

UPD Although if I insert this code into the cell directly via phpMyAdmin, then everything goes fine ...

  • Give the code you are trying to insert it into the database. - Yaant
  • @Yaant method post I pass the value to the handler that makes such a request UPDATE cms_adm SET title='$title', js_code='$js_code', ... и т.д. ... UPDATE cms_adm SET title='$title', js_code='$js_code', ... и т.д. ... - Alexandros

3 answers 3

Greetings. If the backend part is in PHP, then shield the special characters of your string with the addslashes method

Or even better mysql_real_escape_string

  • that's right, thank you)) live and learn ... helped mysql_real_escape_string - Alexandros
  • no, please contact) - Alexey Samara

You can also use this method:

 <?php $jscode = "here your jscode"; $encode_js = htmlEntities($jscode, ENT_QUOTES);

Converts all special characters in your code to html entities, and also uses ENT_QUOTES to ensure that XSS is not possible and your application is safe.

If you want to decode the string (vice versa), use html_entity_decode (). In more detail you can read: http://php.net/manual/ru/function.htmlentities.php#99896

    Do not use mysql_real_escape_string . Warning This extension is deprecated since PHP 5.5.0 and removed in PHP 7.0.0. Use MySQLi or PDO_MySQL instead . Alternatives for this feature:

    mysqli_real_escape_string () - Escapes special characters in a string for use in a SQL expression using the current connection character set.

    PDO :: quote () - encloses the string in quotation marks (if required) and escapes special characters within the string in a way appropriate for the driver.