0

I want to save HTML code into MySQL database. There is no problem when I save it, but I have a field that I want to put a value into it.

<input type="text" size="18" value="$user" />

When I retrieve it from the database and send it to the browser, the value of the text field is not the value of $user variable.

Here is my php code to save:

function SaveHTML(){
    global $cn;
    $content=mysql_real_escape_string( $_POST["html"],$cn);
    $url=mysql_real_escape_string("http://www.google.com/",$cn);
    mysql_query("Insert into HTML(content,URL) values('$content','$url')");
}
Improve this question
2
  • 3
    Don't use mysql_query by concatenating SQL code with data read from the network. That is a hotbed for SQL injections. Use prepare instead: php.net/manual/de/pdo.prepared-statements.php Commented May 8, 2011 at 19:20
  • You should use prepared statements (PHP PDO) instead of mysql_real_escape_string. php.net/manual/en/book.pdo.php. EDIT: dang, got me by 29 seconds, I'll leave the PDO link up for reference. Commented May 8, 2011 at 19:21

4 Answers 4

Reset to default
3

You have to echo the value to display it:

<input type="text" size="18" value="<?php echo htmlspecialchars($user, ENT_QUOTES, 'UTF-8'); ?>" />

As you can see I also used htmlspecialchars() to prevent against XSS attacks.

Also please, don't use mysql_* functions for new code. They are no longer maintained and the community has begun the deprecation process. See the red box? Instead you should learn about prepared statements and use either PDO or MySQLi. If you can't decide, this article will help to choose. If you care to learn, here is a good PDO tutorial.

Another thing I notice is that you are using the global keyword. It would be better to inject the connection as a parameter in the function:

function SaveHTML($cn){
    $content=mysql_real_escape_string( $_POST["html"],$cn);
    $url=mysql_real_escape_string("http://www.google.com/",$cn);
    mysql_query("Insert into HTML(content,URL) values('$content','$url')");
}

Edit (Death):

What I wanted is the folllowing:

Assume you have a varivle $user and piece of HTML code like below:

$html = <<<'Death'
<input type="text" size="18" value="$user" />
Death;

now, If I save this variable ($html) to a database and in another page I send this html to user, what should I do to the $user in html code have value of $user in second page?

Answer: I saved string (as it is) to database and then used eval() function to replace the $user with it's value!

EDIT PeeHaa

Note that in most cases it is considered bad practice to have HTML in your database (unless you). I'm also not that happy about with eval() stuff (which is always bad practice).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

you can use personal tags and after reading from database replace that tag with php variable
like this : 

$html = '<input type="text" class="class" value="{user}">';
save $html to database  
$gethtml = get $html from database ; 

$last_html = str_replace('{user}',$user,$gethtml);
Improve this answer

Comments

0

You need to specify that it's PHP code.

<input type="text" size="18" value="<?php echo $user ?>" />
Improve this answer

1 Comment

You'd also have to eval() the string.
0

If you want to save the value of the input, first you need to give it a name:

<input name="user" type="text" value="<?php echo $user?>" />

now to retrieve it and save it in your db you have to get it from the POST variable

$content = mysql_real_escape_string($_POST['user']);

this will get you the value that you need.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.