• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Uploading HTML Code

Hi all,

when uploading concert reviews, we also provide the users to upload the embed code you find at YouTube: Normally the code should look like this:

&lt;object width="425" height="344"&gt;&lt;param name="movie" value="http://www.youtube.com/v/GVw6i_gdUZ0&hl=nl&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param>&lt;embed src="http://www.youtube.com/v/GVw6i_gdUZ0&hl=nl&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"&gt;&lt;/embed>&lt;/object&gt;

But when I upload this to the db, it inserts it as:
&amp;lt;object width=&quot;425&quot; height=&quot;344&quot;&amp;gt;&amp;lt;param name=&quot;movie&quot; value=&quot;http://www.youtube.com/v/KLsWDQ0w23E&amp;hl=nl&amp;fs=1&quot;&gt;&lt;/param&gt;&lt;param name=&quot;allowFullScreen&quot; value=&quot;true&quot;&gt;&lt;/param&gt;&lt;param name=&quot;allowscriptaccess&quot; value=&quot;always&quot;&gt;&lt;/param&gt;&amp;lt;embed src=&quot;http://www.youtube.com/v/KLsWDQ0w23E&amp;hl=nl&amp;fs=1&quot; type=&quot;application/x-shockwave-flash&quot; allowscriptaccess=&quot;always&quot; allowfullscreen=&quot;true&quot; width=&quot;425&quot; height=&quot;344&quot;&amp;gt;&amp;lt;/embed&gt;&amp;lt;/object&amp;gt;

So all < and > are not added as they should. I've been trying modifications, but none work. Does anyone knwo why?

My code is as follows (I took out the rest of the code):

$this->form_validation->set_rules('url_youtube', 'url_youtube', 'htmlspecialchars|xss_clean|trim');

$formdata = array('url_youtube' => $this->input->post('url_youtube'));
$this->db->insert('atg_reviews', $formdata);

The character set of the upload page is UTF-8.

Kind regards,


[eluser]Zeeshan Rasool[/eluser]
Have you provided tinymce or text field?
when you gets the record from db after inserting, then is this is in normal format or changed?

remove htmlspecialchars

remove Special characters when you insert the link in database

ok, did that. I also used then htmlspecialchars_decode to show it in the view. That's working fine :-) Thx guys.


another option is to pre-process the posted value with strip_tags.
$_POST['url_youtube'] = strip_tags($_POST['url_youtube'],'&lt;object&gt;&lt;param>&lt;embed&gt;');
$this->form_validation->set_rules('url_youtube', 'url_youtube', 'xss_clean|trim');

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.