PDA

View Full Version : Storing Javascript into MYSQL


adbox
07-11-07, 12:37 PM
I have created a field within a registration form that gives the option to include a javascript insert particular to a webstat program I have designed.
I would like the form to input the javascript particular to the user into the database, so It may be called in the background from a template.

What should I set the database column to be to hold the java script.
I have created it as VarChar 255 and it holds regular texts, but I imagine the javascript will be larger than 255 characters and when I input a small html such as "br" the database does not hold the entry. In stead it seems to cancel out whatever was stored into the database before and leave it blank when I refresh to look at the form again.

Is this a problem with the field type?

What do you recommend?

evilghost
07-11-07, 01:21 PM
1) Show us the form/database submission code.
2) What type of DBServer? MSSQL, MySQL?
3) Are you escaping the SQL input?
4) With a name like adbox I can only imagine you're serving banner-ads. True or False?

Basically, you've given us very little information.

ViN86
07-11-07, 02:21 PM
you could use a Text field. it will hold 65536 characters. make sure you escape the string (like ghost said) and seriously, please post more info like your DB (again like ghost said).

adbox
07-11-07, 02:34 PM
you could use a Text field. it will hold 65536 characters. make sure you escape the string (like ghost said) and seriously, please post more info like your DB (again like ghost said).


I am trying to store a javascript code into a MYSQL database.

I do not know what you mean by escaping the sql.

/**
* Build the sql query.
*/

$sql = "INSERT into sql_restaurants set

user_id = '$this->user_id',
restaurant_name = '$this->restaurant_name',
restaurant_address1 = '$this->restaurant_address1',
restaurant_address2 = '$this->restaurant_address2',
restaurant_zip = '$this->restaurant_zip',
restaurant_phone = '$this->restaurant_phone',
restaurant_category = '$this->restaurant_category',
opening_hours = '$this->opening_hours',
eat_in = '$this->eat_in',
take_out = '$this->take_out',
we_deliver = '$this->we_deliver',
website = '$this->website',
goodstats = '$this->goodstats'
restaurant_reg_date = NOW(),
restaurant_status = '0'";


The column that I am working with is 'goodstats' > and it is a webstat program that I have designed. Although I did not write, I outsourced a good php programmer to write it. Now I want to integrate it into another porgram i designed called eatphp.

I do not serve banner ads. I do not even know what way you can serve ads. Adbox is short for adistantbox, has been my handle a long time

evilghost
07-11-07, 02:41 PM
Your Javascript likely contains ' (single tick) and as a result it's getting munged in your SQL because you're using the single tick. You need to escape the input so single tick is interpreted as part of the query data itself and not the actual query construct.

mysql_real_escape_string() should do the trick and hopefully fix your issues, http://us.php.net/manual/en/function.mysql-real-escape-string.php

goodstats = '".mysql_real_escape_string($this->goodstats)."'

Also, don't use varchar, use BLOB, MEDIUMBLOB, or TINYBLOB.

evilghost
07-11-07, 02:43 PM
I do not serve banner ads. I do not even know what way you can serve ads. Adbox is short for adistantbox, has been my handle a long time

No problem, you're newly registered, and this is your only post. I didn't want to help a possible spammer. Welcome to NVNews, glad to have you here.

adbox
07-11-07, 02:53 PM
No problem, you're newly registered, and this is your only post. I didn't want to help a possible spammer. Welcome to NVNews, glad to have you here.

Thanks, happy to find good help here, thanks for your time too.


I edited the php to include the excape string, and im sure that step is a must, but I still cannot get the database to hold anything with carrots.

<munkey(endcarrot) will clear the entry and the form reloads blank.

The goodstats column is blob now.

evilghost
07-11-07, 03:01 PM
I really need to see the PHP/Form code, it could be that the values are being correctly written to the database (can you verify with mysql?) and that when you echo/include the code it's being rendered by the browser.

If you want to PM me the site I'll take a look and work with you. I can even get on IRC (freenode.net) if you want.

It's hard for me to see what's happening behind the scenes. The mysql_real_escape_string() is a must, and BLOB supports 2^16 (65535 char), so I think we're moving in the right direction.

adbox
07-11-07, 03:01 PM
This is code from the main php file that handles the form editing process. All the code blow is the code that involves the 'goodstats' column

/**
* Sanitize the posted values.
*/
$restaurant_name = Sanitize::data($_POST['restaurant_name'], "string");
$restaurant_address1 = Sanitize::data($_POST['restaurant_address1'], "string");
$restaurant_address2 = Sanitize::data($_POST['restaurant_address2'], "string");
$restaurant_zip = Sanitize::data($_POST['restaurant_zip'], "integer");
$restaurant_phone = Sanitize::data($_POST['restaurant_phone'], "string");
$restaurant_category = Sanitize::data($_POST['restaurant_category'], "integer");
$opening_hours = Sanitize::data($_POST['opening_hours'], "string");
$eat_in = Sanitize::data($_POST['eat_in'], "integer");
$take_out = Sanitize::data($_POST['take_out'], "integer");
$we_deliver = Sanitize::data($_POST['we_deliver'], "integer");
$website = Sanitize::data($_POST['website'], "string");
$goodstats = Sanitize::data($_POST['goodstats'], "string");

/**
* Set the object properties.
*/
$restaurant_obj->setMember("user_id", $_SESSION['logged_user_id']);
$restaurant_obj->setMember("restaurant_name", $restaurant_name);
$restaurant_obj->setMember("restaurant_address1", $restaurant_address1);
$restaurant_obj->setMember("restaurant_address2", $restaurant_address2);
$restaurant_obj->setMember("restaurant_zip", $restaurant_zip);
$restaurant_obj->setMember("restaurant_phone", $restaurant_phone);
$restaurant_obj->setMember("restaurant_category", $restaurant_category);
$restaurant_obj->setMember("opening_hours", $opening_hours);
$restaurant_obj->setMember("eat_in", $eat_in);
$restaurant_obj->setMember("take_out", $take_out);
$restaurant_obj->setMember("we_deliver", $we_deliver);
$restaurant_obj->setMember("website", $website);
$restaurant_obj->setMember("goodstats", $goodstats);

/**
* Try to add the new restaurant to the database.
*/
if($restaurant_obj->edit($error_message)){
/**
* Redirect the user to the "thank you" page.
*/
header("location: company_restaurants.php?id=".$_SESSION['logged_user_id']);
exit;
}
}
$restaurant_name = isset($restaurant_name) ? $restaurant_name : $restaurant_obj->restaurant_name;
$restaurant_address1 = isset($restaurant_address1) ? $restaurant_address1 : $restaurant_obj->restaurant_address1;
$restaurant_address2 = isset($restaurant_address2) ? $restaurant_address2 : $restaurant_obj->restaurant_address2;
$restaurant_zip = isset($restaurant_zip) ? $restaurant_zip : $restaurant_obj->restaurant_zip;
$restaurant_phone = isset($restaurant_phone) ? $restaurant_phone : $restaurant_obj->restaurant_phone;
$restaurant_category = isset($restaurant_category) ? $restaurant_category : $restaurant_obj->restaurant_category;
$opening_hours = isset($opening_hours) ? $opening_hours : $restaurant_obj->opening_hours;
$eat_in = isset($eat_in) ? $eat_in : $restaurant_obj->eat_in;
$take_out = isset($take_out) ? $take_out : $restaurant_obj->take_out;
$website = isset($website) ? $website : $restaurant_obj->website;
$goodstats = isset($goodstats) ? $goodstats : $restaurant_obj->goodstats;

evilghost
07-11-07, 03:05 PM
Is your Sanitize::data class stripping the HTML entities?

adbox
07-11-07, 03:13 PM
I need to find the sanatize data whatever and see what it does. Im going to try removing the line completely and see if it works. brb

adbox
07-11-07, 03:17 PM
Whooo! success! It holds the information now.

Thank you alot for your help.

evilghost
07-11-07, 03:17 PM
I wouldn't sanitize JavaScript, it's code, treat it as code. Escape it using mysql_real_escape_data() so the DB will accept it as code, you should then be able to echo it out of the db result set and have it be processed correctly. I think your data sanitization (as string) is removing invalid 'string' characters.

evilghost
07-11-07, 03:18 PM
Whooo! success! It holds the information now.

Thank you alot for your help.

Sweet, glad to help. Stick around, these forums are fun.

ViN86
07-12-07, 07:04 AM
Sweet, glad to help. Stick around, these forums are fun.
:werd:

glad to hear you got it workin adbox ;)