I have a problem with a php-onsite-editor I developed.
It seems like forms and textarea are f*ck*d up if together...
The following is what i exactly do:
Here is how somebody updates site content:
Web-Site > Admin Panel > Manage/Edit > Select Page
Here in select Page, it displays the code on a textarea
form box, as plain html, and the user can delete, update
or modify it...
when somebody selects which page to edit, it finds
which mysql table holds data for this page, and loads
it. Then on the Select Page > View and Edit area,
it has for example in variable $data, the data for tha page,
in a textarea box, like:
Try doing a str_replace before outputting the info to the textarea. For example,:
//not tested, just rough idea
//before outputting $data to the textarea to edit
$data = str_replace("</textarea>", "[/textarea]", $data);
$data = str_replace("</form>", "[/form]", $data);
//then after user has submitted the info to the db:
$data = str_replace("[/textarea]", "</textarea>", $data);
$data = str_replace("[/form]", "</form>", $data);
Never have a form actually present real HTML GT & LT tags in the field. Print them in some other format to display normally in the form or page and only parse them back to real tags when the changes are saved, assuming you don't need to do further checks for security or accuracy reasons. Am I understanding the problem correctly, in that if someone edits if with a </form> or </textarea>, it cuts off the actual textarea form that they should be editing the page in? If so, follow my above suggestion.
Oh, in phpMyAdmin, you would have to submit a bug report or modify the code, if this is a problem in their interface (too?). The solution the other poster suggested would work, but due to security issues, I'd recommend replacing any occurrence of the opening (and possibly closing) tags, to be safer. Of course, how it's displayed to the viewer of the resulting page (not just editing) could also pose a problem as well, with such things as cross site scripting attacks, etc., but that's pretty trivial (depending) and it really depends on whom has access to edit anyway.
This would write the data for the HTML tags as < and >, which is not what this poster wants, right? You'd have to covert character tags back to real tags when it writes the data. Also, you'd have to take into consideration that when someone edits the page, they might want to use the < and > tags for display and not actually have those specific one's converted to real HTML tags. Or, am I missing something?
Tim: No. It won't. A textarea takes PARSED CHARACTER DATA. The character data is parsed (entities included) and that becomes the value of the textarea. It does not however spit out "unparsed" (for want of a better word) character data, it returns it's value just like any other field.
You wouldn't write
<input type="text" value="<strong>here</strong>" />
would you, so why would you think a textarea any different.
PCDATA is character data (including entities) this means you must only put character data (including entities) in the textarea tag (the HTML 2 spec did "explicitly exclude" input, textarea and select from textareas, but this was a red herring and only there because of an inclusion exception on form - no markup should be placed in a textarea - it makes no sense).
Thus, the above code is incorrect syntax and the correct syntax for this is:
the browser will read the content of the textarea tag and parse it (in the process, converting entities into thier character equivalents) into the desired representation and display as such for editing.
My comment was that if it's putting < and >, then what happens if you want to (when editing the file) use < and actually have it be < when written. Anyway, that is all I was saying about the solution perhaps not being exactly what they want. Of course, no one may ever end up doing that. Also, I'm not a fan of PHP, so perhaps I'm just not aware of what the function is doing, am I wrong about my above example? As far as "HTML 101", I'm not sure if you were referring to my post or someone else, but as you can see, my above point is absolutely unrelated to such a thing--in that I was talking about how the data was converted (or not). If you weren't talking about me, then okay.
Tim: If you wish to enter < in the editor, then enter it. Once the data is inside the textarea it has already been parsed, you are editing #CDATA not #PCDATA, only the text that you put between the <textarea> and </textarea> is #PCDATA.
So, if you want to prefill the textarea with exactly:
"& <= &lt; &gt; &amp;"
then the HTML code should be
<textarea>& <= &amp;lt; &amp;gt; &amp;</textarea>
See how the special characters are replaced. The browser when parsing the #PCDATA inside the textarea will do so like this...
Right, I just wasn't familiar with the function (not being a PHP guy and never planning to be). Thanks for clarifying. I probably will never use it, but it might be useful to a PHP coder to see the clarification.