Remove HTML tags from input field using Coldfusion and ReReplace() function

If you develop web applications can be useful take a mind some little sagacity to avoid ugly surprises, for example that an user can add and save javascript code into a form that executes undesired actions.

A typical situation
Image you have a form with an input field where a registered user can add/modify his name:

<cfif isDefined('FORM.name')>
<cfquery datasource="myDatasource">
INSERT INTO USER (NAME) values (#FORM.name#)WHERE ID_USER_PK = 1
</cfquery>
</cfif><form action="thisPage.cfm"><input name="name"/> <input type="button" value="save" name="submit"/></form>

... an user in vein of jokes could add and save into the database this code:

<script language="javascript">
alert('Site's webmaster is an idiot!');
</script>

... or a loop like this:

<script language="javascript">
for(i=1; i<2000000; i++){ alert('Site's webmaster is an idiot!');} </script>

So, when an user open the page instead of show the name, the browser executes a javascript code that could cause a little embarrassment for the site's webmaster :)
These are just two banal examples but you can find a lot of situations where is very important to do a check of the input data and remove all HTML tags using this simple Coldfusion function:

ReReplaceNoCase(#inputString#,"<[^>]*>","","ALL")

...where #inputString# is the string you want to clear, and "ALL" repeat the same action for all occurrences. You can specify also what tags will be removed, for example if you want to delete only the content inside <script> tag (because you want mantain some no-dangerous HTML tag like <b>, <strong>, <em>), you have to modify the previous code with the following:

ReReplaceNoCase(#inputString#,"<script>.*</script>", "", "ALL")

Remove HTML tags from the previous example
To solve the problem in the previous example, you have to add just a line of code (in bold) inside your page:

<cfif isDefined('FORM.name')>
// remove all html tags in the input string in this case a FORM variable
<cfset nameNOHTML = ReReplaceNoCase(#FORM.name#,"<[^>]*>","","ALL") />
<cfquery datasource="myDatasource">
INSERT INTO USER (NAME) values (#nameNOHTML#)
WHERE ID_USER_PK = 1
</cfquery>
</cfif>
<form action="thisPage.cfm">
<input name="name"/> <input type="button" value="save" name="submit"/>
</form>

In this way all HMTL tags will be removed from the input data.

Top resources for webmaster

This is a small list of my preferred resources (database, functions, classes, libraries) that I use to deploy web sites. If you have an interesting site about this argument add it with a comment into this list.


Ajax loader
Download this pack with a lot of ajax animated loader like these:



I suggest also http://www.ajaxload.info to create your custom ajax loader on-line

Common Function Library Project (Coldfusion)
The most complete source where you can find a lot of open source user-defined functions to be used in your Coldfusion applications and simplify your work.
http://www.cflib.org/library.cfm


Firebugs
I use it to debug Javascript with Firefox
http://www.getfirebug.com


Adobe Kuler
Create, explore and share color themes for your web site.
http://kuler.adobe.com/


MAMP (mac users)
Install Apache, PHP and MySQL with few clicks under Mac OS X.
http://www.mamp.info


MySQL
No other explenations for the most popular open source database!
http://www.mysql.com


Mootools
A simply to use Object-Oriented Javascript framework compatible with all browser
http://mootools.net


PHP Classes Repository
A repository full of freely available programming classes of objects written in PHP
http://www.phpclasses.org


phpMyAdmin
The most powerful and free MySQL Database administration tool, written in PHP.
http://www.phpmyadmin.net

Statcounter
A free yet reliable invisible web tracker, highly configurable hit counter and real-time detailed web stats.
http://www.statcounter.com

Scriptaculous
The most famous web 2.0 style Javascript libraries.
http://script.aculo.us/

A correct approach to define relationships between database's tables

I dedicated already some post about how to design and develop a database, but some readers asked to me to explain how to define relationships in a database and a correct approach to create them.

In general a relationship is defined between a foreign key and a primary key of two - or more - different tables. An example can be the following: an user lives in a city (or in a city live more users). The relationship-entity model for this simple case is something like this:


Generally, to optimize the database, it's a good rule to define a relationship using two INTEGER type fields. For example if you have 3 cities into the CITY table identified from ID_CITY_PK (primary key):

ID_CITY_PK (1)
CITY (Paris)

ID_CITY_PK (2)
CITY (New York)

ID_CITY_PK (3)
CITY (Rome)

... and a record into the USER table with ID_CITY (foreign key) = 3, this relation associates the current record to the city with ID_CITY_PK = 3 into the CITY table, that is Rome.

ID_USER_PK (1)
NICK (Antonio)
...
ID_CITY (3)

How to define relationships using phpMyAdmin
If you use a database MySQL and phpMyAdmin to manage it, select a table (in this example USER) and click on "Relation View", below the table's fields:


Now, from the foreign key field in the table USER (id_city) the field with which you want define the relationship, in this case id_city_pk in the CITY table:


Click on save to save created relation and repeat the action for all tables require relations.
If you use a Database Access, relationships can be defined from relationship view simply connecting, just with a mouse's click, two field.


How to define relationships using SQL
I suggest to use always a separated file with SQL statements to create all database's tables and relationships between them. The code is very simple, easy to modify and to reuse. A relation is defined using the statement REFERENCES:

CREATE TABLE CITY (
id_city_pk INT NOT NULL AUTO_INCREMENT,
city VARCHAR(100),
PRIMARY KEY (id_city_pk)
) TYPE=INNODB;

CREATE TABLE USER (
id_user_pk INT NOT NULL AUTO_INCREMENT,
nick VARCHAR(40),
email VARCHAR(40),
password VARCHAR(20),
id_city INT NOT NULL,
PRIMARY KEY (id_user_pk)
FOREIGN KEY (id_city) REFERENCES CITY(id_city_pk) ON UPDATE CASCADE ON DELETE CASCADE
) TYPE=INNODB;

Remeber the order is very important when you create your database: first, you have to create table without dependancies and then all others.


Related Posts

For other about this argoument visit the following links:
Project a database: define the relationships-entities model (tables, attributes, and relationships )
Project a database: create tables and relationships with SQL
Project a database: how to use PHP and SQL to create tables and relationships

... or take a look at the table of contents.

Populate a "select" form with a SQL query using coldfusion

In this post I replied to some reader that have asked to me how to populate a select form element with the results of a SQL query using PHP. I received the same question about how to do the same action using Coldfusion.

Image a simple SQL query which get all users' names on a generic database's table, in this case USER, which have two attributes: ID_USER_PK (primary key) and NAME (the user name):

<cfquery datasource="mydatasource" name="getUser">
SELECT * FROM USER
</cfquery>

Now, to display the query's results into a SELECT form you can use this simple code with <cfoutput query="queryName">:

<select name="select" name="userName">
<cfoutput query="getUser">
<option value="#id_user_pk#">#name#</option>
</cfoutput>
</select>

If you have a parameter in input, for example a URL variable, idUser:

#URL.idUser#

...passed to the page in this way:

http://localhost/index.php?idUser=1

<select name="select" name="userName">
<cfoutput query="getUser">
<option value="#id_user_pk#" <cfif #URL.idUser# EQ #id_user_pk#>selected="selected"</cfif>>#name#</option>
</cfoutput>

In this way, you force to set the "selected" attribute, in your SELECT form, equal to "selected" if the current record has an id_user_pk equal to the parameter in input.

Are you a PHP developer? Read here the PHP version of this post

Why you have not need of an eBook about Google AdSense secrets

If you have a site, probably you use Google AdSense to monetize your traffic. If after some month since site's startup, you are not satisfied for the obtained results, in terms of revenues, you could try to find some suggestion on internet about how to increase your revenue with AdSense. In this case, can help you one of the many ebooks about this argoument written from some AdSense Guru.

But, what it’s a typical structure of these ebooks? And they are really useful?

The introduction
First chapter is an introduction about the eBook and how his author earned million dollars simply applying some rules that he promises is going to reveal to you in the next pages... (it would seem interesting... ok, let's go!)

Do you know AdSense?
Second chapter is the answer to the question: “what is Google AdSense”?... (mmm... but at this point I ask to me: “why I have to pay for a thing I can read for free on Google AdSense official site?”)

The first AdSense secret
Third chapter is a detailed explanation about announcements’ formats. To the end, the first secret in order to become a millionaire with adSense is revealed:

“Bigger formats are better because they are more visible than small formats”. (indeed???)

The second AdSense secret
Now it’s time for the second secret, the most explosive: after some pages it’s revealed and can be resumed with this sentence:

“Place AdSense announcements where are visible, for example on top of the page.” No Comment.

Now, after all, my suggestion is: "not to throw your money." Ok?

Populate a select form with a SQL query using PHP

This is another frequent asked question which I receive frequently. The solution is very simple and is illustrated step-by-step in the code below

Solution using PHP
Image a simple query SQL which get all users' names on a generic database's table, in this case USER, which have two attributes: ID_USER_PK (primary key) and NAME (the user name):

<?php
$getUser_sql = 'SELECT * FROM USER';
$getUser = mysql_query($getUser_sql);
?>

If you want to display the query's results into a SELECT form you can use this simple code:

<select name="select" name="userName">
<?php while ($row = mysql_fetch_array($getUser)) {?>
<option value="<?php echo $row['id_user_pk']; ?>">
<?php echo $row['name']; ?></option>
<?php } ?>

Wile statement creates a number of option elements equal to number of total records contained into the table and assigns them a value equal to primary key (in this simple case id_user_pk.


If you want select an option equal to a parameter in input
Now, image if you have a parameter in input, for example a URL variable idUser:

&_GET['idUser']

...passed to the page in this way:

http://localhost/index.php?idUser=1

If you want your SELECT form select the option equal to the value of parameter in input, you have only add a line of code (in bold):

<select name="select" name="userName">
<?php while ($row = mysql_fetch_array($getUser)) {?>
<option <?php if($row['id_user_pk'] == $_GET['idUser']) { echo 'selected="selected"';} ?> value="<?php echo $row['id_user_pk']; ?>">
<?php echo $row['name']; ?></option>
<?php } ?>
</select>

In this way, you force to set the "selected" attribute, in your SELECT form, equal to "selected" if the current record has an id_user_pk equal to the parameter in input.

myToDoListPHP updated: v 0.5

A new interface and new features for myToDoListPHP

Another day, another update... In this update I added set priority for each task and current percentage of completion.

This is a screenshot of task view:

...and this is a screenshot of modify task view:


For more info about myToDoListPHP and to download the full package read the related post.
Thanks to all for your support!