Originally Said By: Eric Mittman
Ok, I have got it now. The problem is that the double quotes are stored in the db, so when you view the product on the update page the double quotes cause it to break out of the value attribute for that form element and create some new attributes in there.
The fix is to use htmlentities() around the value before it is inserted or updated. This is done in the following locations:
Products Insert line 139
Find the second occurrence of $_POST["ProductName"] and wrap the function around it like this:
htmlentities($_POST["ProductName"])
Products Update line 268
Find the second occurrence of $_POST["ProductName"] and wrap the function around it like this:
htmlentities($_POST["ProductName"])
This should make it so it stores the encoded versions of these characters in the db, but the browser will still display them as quotes. Let me know if you have any other problems with this.
Eric, I am sorry, I'm sure this is a pretty simple fix, but I am just not finding the code you show.
I have the Products_Update.php (inside the Admin folder) open, I've been combing through the code looking for the lines you describe in the vicinity of the line numbers you give, and I am not finding it. For the second occurance, I find something similar but not the same.
Starting at line 123, here is what I have:
mysql_select_db($database_localhost, $localhost);
$query_ProductOptions = sprintf("SELECT DISTINCT optiongroups.OptionGroupName, optiongroups.OptionGroupID FROM optiongroups INNER JOIN options ON optiongroups.OptionGroupID = options.OptionGroupID INNER JOIN productoptions ON productoptions.OptionID = options.OptionID WHERE ProductID = %s ORDER BY optiongroups.OptionGroupID", GetSQLValueString($PIDParam_ProductOptions, "int"));
$ProductOptions = mysql_query($query_ProductOptions, $localhost) or die(mysql_error());
$row_ProductOptions = mysql_fetch_assoc($ProductOptions);
$totalRows_ProductOptions = mysql_num_rows($ProductOptions);
?>
<?php
$PIDParam_SelectedOptions = "1";
if (isset($_GET['ProductID'])) {
$PIDParam_SelectedOptions = (get_magic_quotes_gpc()) ? $_GET['ProductID'] : addslashes($_GET['ProductID']);
}
mysql_select_db($database_localhost, $localhost);
$query_SelectedOptions = sprintf("SELECT options.OptionID, options.OptionGroupID FROM options INNER JOIN productoptions ON productoptions.OptionID = options.OptionID WHERE ProductID = %s", GetSQLValueString($PIDParam_SelectedOptions, "int"));
$SelectedOptions = mysql_query($query_SelectedOptions, $localhost) or die(mysql_error());
$row_SelectedOptions = mysql_fetch_assoc($SelectedOptions);
$totalRows_SelectedOptions = mysql_num_rows($SelectedOptions);
?>
<?php
// WA_UploadResult1 Params Start
$WA_UploadResult1_Params = array();
// WA_UploadResult1_1 Start
$WA_UploadResult1_Params["WA_UploadResult1_1"] = array(
'UploadFolder' => "../Images/Upload/",
'FileName' => "[FileName]",
'DefaultFileName' => "" . $row_WADAProducts["ProductImage"] . "",
'ResizeType' => "1",
'ResizeWidth' => "400",
'ResizeHeight' => "400",
'ResizeFillColor' => "#FFFFFF" );
// WA_UploadResult1_1 End
// WA_UploadResult1 Params End?>
I pasted up to line 155
Line 268 reads:
$WA_fieldValuesStr = "".((isset($_POST["ProductSKU"]))?$_POST["ProductSKU"]:"") ."" . "|" . "".((isset($_POST["ProductName"]))?$_POST["ProductName"]:"") **is this where I would place the code you gave?** ."" . "|" . "".((isset($_POST["ProductPrice"]))?$_POST["ProductPrice"]:"") ."" . "|" . "".((isset($_POST["ProductWeight"]))?$_POST["ProductWeight"]:"") ."" . "|" . "".((isset($_POST["ProductCartDesc"]))?$_POST["ProductCartDesc"]:"") ."" . "|" . "".((isset($_POST["ProductShortDesc"]))?$_POST["ProductShortDesc"]:"") ."" . "|" . "".((isset($_POST["ProductLongDesc"]))?$_POST["ProductLongDesc"]:"") ."" . "|" . "".$WA_DFP_UploadStatus["WA_UploadResult2"]["serverFileName"] ."" . "|" . "".$WA_DFP_UploadStatus["WA_UploadResult1"]["serverFileName"] ."" . "|" . "".((isset($_POST["ProductCategoryID"]))?$_POST["ProductCategoryID"]:"") ."" . "|" . "".(date('Y-m-d H:i:s')) ."" . "|" . "".((isset($_POST["ProductStock"]))?$_POST["ProductStock"]:"") ."" . "|" . "".((isset($_POST["ProductLive"]))?$_POST["ProductLive"]:"") ."" . "|" . "".((isset($_POST["ProductUnlimited"]))?$_POST["ProductUnlimited"]:"") ."";
One thought: I had an earlier (unrelated) problem that evidently was caused by not having the template files in the root folder, all my powerstore files are in a subfolder of the site root folder (it is an existing site that I added powerstore to). Could this be causing the problem?