Forum Moderators: open
I am trying to create an admin page for adding and editing pages. I am using a textarea for writing the main content on each page. This is saved to a text row in a MySQL table.
I have a couple of quesions.
Firstly is it sensible to save the html, i.e headings, paragraph and image tags in the database, or would it be better to write it as a html file and include the location of it via the database?
Secondly, if this technique is o.k, Is there a way to stop line breaks being added to the database.? I have used
$content = str_replace('<br />','',$content);
on the view and on the insert statement. This stops the breaks from being viewed but they are still added in the database.
I basically just want to keep all the info for the page in one place that is easily edited.
Thanks
... or would it be better to write it as a html file and include the location of it via the database?
By writing files, you have TWO jobs/tasks, maintaining a database and maintaining files, not to mention the added security issue of having to make a file system area writable. Some people like to do this, but IMO it's just wasted space and opens the door for one more place for an error to pop up. For SEO considerations, it's just as easy to store an seo-friendly URL in your database, then use .htaccess to direct the request accordingly:
insert into table(url,content) values('this item url','your content');
in .htaccess, if not a directory and not a file, rewrite to your script.
Your script parses the URL, which can be anything you want and unique, then looks it up in the database. /my-keyword-rich-url returns a web page, whether it's an actual file or not, so it's the same content for search engines.
Firstly is it sensible to save the html, i.e headings, paragraph and image tags in the database,....
I separated this out because storing plain html in a database is a very.bad.idea for two reasons.
The first is just problems with editing. Your "pages" are most likely edited in a plain form textarea. Let's say you pull in a "page" that contains a textarea form. That "page" gets inserted inside your editing textarea, but it contains a closing </textarea> . . . so the second half of your page just goes away.
The second is this opens you up to all sorts of nasty security issues, the least of which is cross scripting and mySQL injection. It's easy enough to say "this is an admin area, no one else will see it" but bad habits tend to stick.
The two best ways I've found to manage both of the above are to use a BB-style syntax when editing, using [] instead of <>, then on output you just substitute accordingly, or encode it going in and decode it coming out. In either case, sanitize your data.
Secondly, if this technique is o.k, Is there a way to stop line breaks being added to the database?
Your technique should work, you're probably have an error in your coding like
$content = $_POST['content'];
$content = str_replace('<br />','',$content);
insert into db (content) values ('$_POST['content']');
I did think storing the markup in database could be a problem. I struggle to get my head round how you can put all the content and markup in one end, and have it comes out nice at the other, especially if all the pages are different layouts etc. I'm ok when a category has the same layout for every page. But for things that are unique it's harder.
I'll keep you posted.
$content = str_replace('<a>','[a]',$content); etc
then sanitize and insert. Thanks again, I'm still looking at the other stuff.
$content = str_replace('<a>','[a]',$content); etc
Well actually that won't work, because it's usually a href= . . . . or even <a class="something" href=".... but you get the idea.You could do something like
var $htmlsubs= (
'<' => '[',
'>' => ']',
'"' => '"',
'&' => '&'
);
Store valid input fields in another array, call it $input, then
foreach ($input as $key => $value) {
foreach ($htmlsubs as $in => $out) {
$input[$key] = str_replace($in,$out,$input[$key]);
}
}
Then when you output, reverse the substitution, except for the entities, which can stay in. So if someone's editing with HTML, it fixes it, if they're editing with BB-style characters, it leaves it alone.
I got the substitutions working now, thanks for your additional info.
Currently I am creating a list of links to pages by querying the table of articles and outputting a link with query string including page title and ID. Then on the view page I $_GET the ID and display the relevant page.
I am trying to do some redirects with .htaccess, I'm not sure if this is what you meant in the earlier post?
Options +FollowSymlinks
RewriteEngine on
RewriteRule ^articles/([^/]+)/([^/]+).zip /articles.php?t=$1&id=$2 [NC]
I want to show a nice url to user but still have a query string to display the page. I'm not sure how this will work in practise yet...
I'm trying out a new hosting company and they don't seem to like me using .htaccess much. It gives a server error when I use this code, if I take Options +FollowSymlinks out, it gives no error but doesn't seem to do anything. Is there any other way of rewriting urls in this way?
Thanks
