Hi, I’m trying to code a simple forum with php and mysql but Im stuck…
I want to clean up user input before putting it into database but its not working, sadly Im not getting errors so I have no idea what is going on.
This is the php for creating new topics:
<?php
include 'config.php';
include 'functions.php';
if (empty($_POST[threadtitle])) {
echo "<br /><div align='center'>je bent vergeten een titel in te voeren</div>";
} else if
(strlen($_POST[threadtitle]) < 6 ) {
echo "<br /><div align='center'>je titel is niet lang genoeg</div>";
} else if
(empty($_POST[message])) {
echo "<br /><div align='center'>je bent vergeten een bericht in te voeren</div>";
} else if
(strlen($_POST[message]) > 1600 ) {
echo "<br /><div align='center'>je bericht is te lang</div>";
} else {
(clean_input($_POST['threadtitle']));
(clean_input($_POST['name']));
(clean_input($_POST['message']));
$time = time();
mysql_query("INSERT INTO threads VALUES(NULL,'$_POST[threadtitle]','$_POST[name]','$_POST[message]','0','0','$time','$time')");
echo "<br /><div align='center'>nieuw topic geplaatst</div>";
echo "<meta http-equiv='Refresh' content='1; url=http://metartmdb.com/unit7/port/'>";
}
?>
That clean_input is what is supposed to clean things up. Its in a file called functions:
function clean_input($input)
{
if(get_magic_quotes_gpc())
{
//Remove slashes that were used to escape characters in post.
$input = stripslashes($input);
}
//Remove ALL HTML tags to prevent XSS and abuse of the system.
$input = strip_tags($input);
//Escape the string for insertion into a MySQL query, and return it.
return mysql_real_escape_string($input);
}
Im testing this with putting a ahref link into the threadtitle, the script does it thing, no errors, but the threadtitle appears as a link…
Anyone any idea how to get this to work?
