#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    5
    Rep Power
    0

    Textarea(WYSIWYG text editor) - the html code generated won't save into my DB table..


    Hi CF guys,

    I have a text-area form on my page...and I made my text-area field like an Editor for my content to be able modify(font,headings,alignment etc).
    But when I'm about to insert it to my DB table, insert won't continue.
    I've set my table column as Long Text data-type....

    I made some testing and debugging and found out that the problem is the generated code produced by my text editor. IS there any possible solution on this one? I badly needed to use the Text Editor and save values into my Database.


    Any help or suggestions?

    BTW...I used the Tiny MCE or the ckeditor =)
  2. #2
  3. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,273
    Rep Power
    968
    Are you getting an error? What is actually happening when you try to do the insert?
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    5
    Rep Power
    0
    Nope I'm not gettin any error. And I found that the html generated code were not completely saved into my table column.

    For example, the generated html code were :
    Code:
    <h3 style="color:blue;">
    	Marriott to open first Sri Lankan property</h3>
    <p>
    	<br />
    	<strong>After</strong> signing an agreement with Weligama Hotel Properties Ltd, the Marriott Hotels &amp; Resorts brand plan to open their first Sri Lankan hotel.</p>
    When I actual checked my table-column on the DB, only the
    Code:
    <h3 style=
    were saved.

    That's the reason when I output the value on the page, the display is blank.

    Any suggestions or help?

    Thanks.
  6. #4
  7. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,273
    Rep Power
    968
    The quotes in your string aren't escaped. Try using cfqueryparam, which should handle escaping the quotes automatically.

    By the way, you should always use cfqueryparam for ANYTHING the user is sending into the database, to prevent SQL injection. You're also wide open for XSS exploits with this setup, since the user can enter arbitrary code into your form. So at minimum you'll want to check for any JavaScript in the incoming form data and strip it out.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    5
    Rep Power
    0
    Thanks for the tips.

    I have used the<CFQUERYPARAM> tag on my query insert,
    <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#form.f_content3#">
    but im still getting the same problem/issue.

    Thanks
  10. #6
  11. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,273
    Rep Power
    968
    Hmm, what database are you using? Can you post the cfquery itself?
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    5
    Rep Power
    0
    Hi,

    I'm using the MySQL Database,(MyISAM engine), datatype is LONGTEXT.

    And here's the insert statement.
    Code:
    <cfquery datasource="#ds#" name="q_insert">
    	INSERT INTO tb_article
    	(d_name,d_content)
    	VALUES(
              <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#form.f_name#">,
              <cfqueryparam cfsqltype="cf_sql_longvarchar" value="#form.f_content#">
             )
    </cfquery>
    Any idea on my problem/issue? Thanks.
  14. #8
  15. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,273
    Rep Power
    968
    If you do a

    <cfdump var="#form.f_content#"><cfabort>

    Just before the query and then run the page, do you see the full HTML text?

    Also, if you turn on debugging for SQL, do you see the full HTML content in the debugging output for this query?

    Just for fun, you could try using single quotes around the value, like:

    <cfqueryparam cfsqltype="cf_sql_longvarchar" value='#form.f_content#'>
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    5
    Rep Power
    0
    You are right, I need to play around a little on it.

    Anyways, I found that generated codes breaks when I put them on a hidden textfield.
    Because,I have a preview page before I insert them into DB, so I have to hide them in form before inserting it to the next page.

    My solution for now is to remove the preview page, and insert immediately after Submit button is clicked. I'll display the preview page after insert, and they have an option for update.

    Thanks!
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2008
    Posts
    131
    Rep Power
    7
    Use HTMLEditFormat() to escape the value in your hidden field and it should carry over to the next page just fine.

IMN logo majestic logo threadwatch logo seochat tools logo