0

I'd like to build a good website, where the administrators can add or remove articles, etc... In the main page, I write a short part of every articles from a MYSQL database and I'd like to write in the end of every short part a simple link ("eg.: click to see more..."). And when the user click to this, he/she can see the whole of article.

When the administrator want to add a new article, he/she have to fill in a simple form. The problem, when I want to add a class or an ID to the "click to see more...", it doesn't work. And, an interesting thing, which I'd found some seconds ago: If if remove the class of , so I only write: "click to see more" (without class or ID tag), it is working. But if I add "class" or "ID" tag, it doen't work. What does it mean? :O

My code:

<?php
    if (isset($_POST["submit"])){
        include "../connect.php";
        $last_id_mysql = mysql_query("
            SELECT AUTO_INCREMENT
            FROM INFORMATION_SCHEMA.tables
            WHERE TABLE_NAME = 'articles'
        ");
        while ($egysor = mysql_fetch_row($last_id_mysql)){
            foreach ($egysor as $kulcs){
                $last_id = $kulcs;
            }
        }
        $date = $_POST["date"];
        $short_cont = $_POST["short"];
        $short_cont .= "...<span class='moreit'>click to see more</span>";
        $title = $_POST["title"];
        $main_text = $_POST["main_text"];
        mysql_query("
            INSERT INTO `toparti`.`articles` (
            `main_text` ,
            `date` ,
            `roviditett` ,
            `cim`
            )
            VALUES (
            '$main_text', '$date', '$short_cont', '$title'
            );
        ");
        $errors = mysql_error();
        if ($errors=="") {
            print("<h1>Add!</h1>");
            print("<script>window.setTimeout('window.close();',2000);</script>");
        }
        else {
            print("Don't add. Reason: ".$errors);
        }
        mysql_close($kapcsolat);
    }
?>
<html>
    <head>
        <title>Article</title>
    </head>
    <body>
        <form name="uj_cikk_form" method="POST" action="<?php print($_SERVER['PHP_SELF']);?>">
        <table>
            <tr>
                <td>A cikk címe</td>
                <td><input name="title" type="text" required></td>
            </tr>
            <tr>
                <td>Létrehozás dátuma (pl.: 2013-04-12)</td>
                <td><input name="date" type="text" required></td>
            </tr>
            <tr>
                <td>Rövidített tartalom</td>
                <td><textarea cols=100 rows=5 name="short_cont" required></textarea></td>
            </tr>
            <tr>
                <td colspan=2>
                    Cikk tartalma:
                </td>
            </tr>
            <tr>
                <td colspan=2>
                    <textarea cols=140 rows=20 name="main_text" required></textarea>
                </td>
            </tr>
            <tr>
                <td colspan=2>
                    <input type="submit" name="submit" value="Létrehoz!">
                </td>
            </tr>
        </table>
    </body>
</html>
user3290356
  • 73
  • 1
  • 9
  • Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). – Gumbo Apr 13 '14 at 18:05
  • Thanks, I know, too, but I had ignored, that it become shorter... :) – user3290356 Apr 13 '14 at 18:12
  • Use a framework that makes it easier than PHP’s standard extensions do. There are some libraries that allow passing the parameters immediately like ```execute("INSERT INTO `toparti`.`articles` (`main_text`,`date`,`roviditett`,`cim`) VALUES (?, ?, ?, ?)", $p1, $p2, $p3, $p4)```. – Gumbo Apr 13 '14 at 18:15

2 Answers2

0

Try:

mysql_query("
            INSERT INTO `toparti`.`articles` (
            `main_text` ,
            `date` ,
            `roviditett` ,
            `cim`
            )
            VALUES (
            '".$main_text."', '".$date."', '".$short_cont."', '".$title."'
            );
        ");
Manwal
  • 22,117
  • 10
  • 57
  • 89
  • Thank you, for your reply, but unluckily, it hasn't work :/ Mysql write this: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'moreit'>click to see more', 'dfgh' )' at line 8 – user3290356 Apr 13 '14 at 17:46
  • hmm... I found an interesting thing... If if remove the class of , so I only write: "click to see more" (without class or ID tag), it is working. But if I add "class" or "ID" tag, it doen't work. What does it mean? :O – user3290356 Apr 13 '14 at 17:57
  • @user3290356 if you replace the span by this: `click to see more` Does it work ? – CMPS Apr 13 '14 at 18:01
0

You are not closing the form tag at the end in the HTML part, and you should escape the string containing the :

replace this:

</table>
</body>

by:

</table>
</form>
</body>

And you should change:

<span class='moreit'>click to see more</span>

to

<span class=\'moreit\'>click to see more</span>
CMPS
  • 7,505
  • 4
  • 26
  • 49
  • thank you, for your remark, I have fixed it, but still it doesn't work... :/ – user3290356 Apr 13 '14 at 17:50
  • hmm... I found an interesting thing... If if remove the class of , so I only write: "click to see more" (without class or ID tag), it is working. But if I add "class" or "ID" tag, it doen't work. What does it mean? :O – user3290356 Apr 13 '14 at 17:55
  • Mysql write this: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'moreit'>click to see more', 'dfgh' )' at line 8 ........... ("dfgh" the title which I had added the the article) – user3290356 Apr 13 '14 at 18:02
  • 1
    What if you try: click to see more @user3290356 – CMPS Apr 13 '14 at 18:04
  • wow, thank you!!!!!!!!!! It works :) And it's logic, because, when mysql want to try insert it, it hadn't worked, because were turmoil of the apostrophes :) Thank you! :) – user3290356 Apr 13 '14 at 18:15
  • @user3290356 No prob, I updated my answer as well, if you don't have any other questions consider a marked solved :) – CMPS Apr 13 '14 at 18:21