(SOLVED) PHP form doesn't save PHP - error #1064


I know this may sound like a strange question, but it has a point :slight_smile:

Anyway, I have been using this method for a while, and have never encountered an issue with it, and I’m about at my wits end to get it working on the current site I’m working on.

Basically, I have a template system that stores the information for each ‘page’ of my website in the DB (so there’s only one page - but it just calls the information from the DB, depending on what’s in the URL). So, if I want to edit a page, I have to be logged in as the super-administrator, and then I can edit the PHP for the page, the HTML, the stylesheets, the scripts, etc.

So, my main concern is for editing the PHP that is custom for certain pages - on a new site I’m doing, it won’t allow me to save this way. When I create pages (using a form I’ve created, and on that same site), I can type PHP in and it will save and accept it, but when I try to EDIT it on a page, it won’t let me - it will go through the reload of the page and act like it saved it, but nothing will be changed in the DB.

Any ideas on this? The hosting is the same as other sites I’ve done as well - so I don’t think that’s the issue either. The editing page I use on this one is the same I use on the other sites, and it will save any information EXCEPT PHP scripts - I really am not sure what to do.

I have a custom php.ini file on my system, but haven’t changed any settings (it’s there in case I need to). I have also been on with Dreamhost support for about 2 hours on this, and they say it’s my problem, and to figure it out here - so ANY help would be GREATLY, GREATLY APPRECIATED!!!

might it have something to do with the script performing some input validation to prevent some malicious poster from inserting some malicious code? in your case, of course, you want to save some code to the database, but often times most people want to prevent it…

It does have some things built in like that, but when I’m logged in as the Super Admin, it doesn’t have those on… it’s really weird. Any other ideas?

are you sure it’s recognizing you as super admin then? maybe take those date checking parts out just to make sure? any way to verify that your super admin status is being recognized by those proceedures? how about posting some sample code or is it proprietary?

It just recognizes me as the super admin because of my user_id and permission level in the users table - I’m also the only one on the site who has an account, and can even login right now too, so it wouldn’t show any of the editing information if I couldn’t be logged in as the Super Admin.

Could it have anything to do with a .htaccess setting or something? Or a php.ini setting?

Does anybody have any other ideas on this?

Just for reference, I finally put this in the PHPMyadmin MySQL query thing, and it gave me the following:


SQL query:

UPDATE content SET url = ‘http://www.productionbook.com/home’,
php = '{startp} $hotdog = 'chicken ‘; echo $hotdog; {/endp}’,
meta = ’ ',
page_title = ‘home’,
title = ‘Home’,
style = ’ ',
script = ’ ',
content = ’

Under construction This site is currently under construction. Please check back later.

content_type_id = ‘1’,
analytics = ’ ',
active = ‘1’ WHERE id = ‘1’ LIMIT 1

MySQL said: Documentation
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘chicken’; echo $hotdog; {/endp}’, meta = ’ ‘, page_title = ‘home’, title =’ at line 1 [/quote]

When, what I put in (just for testing) -

[quote]UPDATE content SET url = ‘http://www.productionbook.com/home’, php = ‘{startp} $hotdog = ‘chicken’; echo $hotdog; {/endp}’, meta = ’ ', page_title = ‘home’, title = ‘Home’, style = ’ ', script = ’ ', content = '
Under construction

This site is currently under construction. Please check back later.
’, content_type_id = ‘1’, analytics = ’ ', active = ‘1’ WHERE id = ‘1’ LIMIT 1[/quote]

I had to put in the {startp} and {/endp} (made up tags) in order for it to try to save at all - if I use regular PHP tags it won’t even post it. Any ideas?

Looks like you’re using the mysql_* functions instead of PDO, and you aren’t escaping your content properly, so apostrophes in the php code are getting passed straight through to MySQL, which is interpreting them as terminating your string (yikes!). Either use addslashes() to escape the apostrophes, or switch to using PDO.

php = '{startp} $hotdog = 'chicken ‘; echo $hotdog; {/endp}’,
You didn’t escape the single quotes for that variable $hotdog. If you don’t properly escape quotes, well…

Okay, well that’s how the query string comes out when it is printed - or sent to the server. This is how I initially send it:

		$result = $db->query("UPDATE `content` SET `url` = '" . $contents['url'] . "', `php` = '" . $contents['php'] . "', `meta` = '" . $contents['meta'] . "', `page_title` = '" . $contents['page_title'] . "', `title` = '" . $contents['title'] . "', `style` = '" . $contents['style'] . "', `script` = '" . $contents['script'] . "', `content` = '" . $contents['content'] . "', `content_type_id` = '" . $contents['content_type_id'] . "', `analytics` = '" . $contents['analytics'] . "', `active` = '" . $contents['active'] . "' WHERE `id` = '" . $db->escape_string($_GET['content_id']) . "' LIMIT 1");

So it should work - I thought. I mean, it’s worked on multiple other sites for me…

Also, I’m sorry, but I’m not familiar with PDO… I will try a mysql_real_escape_string on everything, but sometimes that messes things up, too for me. I’ll let you know.

If it’s worked, it’s only been by pure luck, or by the graces of PHP’s deprecated magic_quotes feature. That approach won’t work.

Let me just thank everyone for being so patient with me - I’m an idiot.

You were right andrewf - once I escaped EVERYTHING being $_POST-ed, it worked. Now I can do what I need to! Thank you so much!

you’re not an idiot. we’ll all learning. well, maybe except for andrewf. he knows a lot :stuck_out_tongue:

Haha - that makes me feel a little better :wink: Thanks guys - I really do appreciate the support.