PHP/HTML File Editor Problems

Discussion in 'Web Design and Development' started by geekindisguise, Jan 14, 2009.

  1. geekindisguise macrumors 6502

    geekindisguise

    Joined:
    Jul 22, 2008
    Location:
    Oklahoma
    #1
    I have a problem with my PHP file editor.
    I made it for friends to be able to edit there sites that I host, but
    one friend's site shows coding for people to learn and when he is editing that page it interferes with the PHP Coding of the editor. The editor uses a Textarea that inserts the file contents into it, and the page that is having problems editing, has a textarea which closes the PHP editors textarea.
    Because of this me and my friend changed his page to use HTML code to show HTML code. Like the brackets and such. But that then shows up in the editor as brackets so then when you save it, the page executes the code.

    This probably isn't very clear, and I don't know what to do!
    Tell me if you need the coding for anything. :eek:
     
  2. SrWebDeveloper macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #2
    I barely understood. If my advice below doesn't help then I'll need to see an example of what you're talking about including the editor code to be sure, but I have an educated guess:

    Quite simply, use the htmlspecialchars() function to convert the code to it's HTML entities when passing between the opening and closing textarea tags.

    Example:

    Let's say we have a string which happens to contain both PHP code and some HTML to create a textarea tag, like this:

    PHP:
    $code="\$foobar=\"<textarea>...test...</textarea>\";";
    You can see how passing $code to a real textarea tag for editing will cause problems due to the PHP and textarea tags being there getting parsed and screwing up your editor?

    SOLUTION: You would pass $code to a real textarea tag for editing as follows:

    PHP:
    print "<textarea>".htmlspecialchars($code,ENT_QUOTES)."</textarea>";
    This converts certain special characters in $code to their HTML entitites ( i.e. "<" becomes < and "<" becomes > among other changes including all quotes ) so the real textarea tag works properly for editing.

    Note:
    It's up to you if you want to use html_entity_decode() in PHP4 or htmlspecialchars_decode() in PHP5 after the form is submitted to convert those characters back before saving to a database or whatever. But that's one of the reasons these two PHP functions exist, for situations like this.

    If I am wrong about all this, then, well... nevermind! heh :)

    -jim
     
  3. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #3
    I agree with SrWebDeveloper that this is likely the issue at hand, given the description. You should definitely become really familiar with the htmlspecialchars function and the like as they help you keep things safe for the site. I'm sure you trust your friends not to do anything malicious with their access, but if a hacker got a hold of a page like you have setup that isn't using these type of functions they could insert malicious code onto the sites. They could potentially take over databases, host illegal media, turn the server into a zombie, and tons of other things. And it may take you months before you even realize the server has been compromised. I highly recommend you read up on PHP security and the like because you could find yourself in a world of hurt if you continue to code the way you are doing. It can get ugly and you can become legally responsible for what happens through your site.

    Just a friendly warning.
     

Share This Page