YouTube embed code getting truncated

Forum|Forum|17 years ago
January 13, 2009
5 replies
1267 views

I have a form field with a YouTube embed that I am trying to read into a MySQL database.

<input name="Image1URL" type="hidden" value="<object width="425" height="344"><param name="movie" value=" http://www.youtube.com/v/2X7xFIhTIDc&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><object src=" http://www.youtube.com/v/2X7xFIhTIDc&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object>" />

On insertion, the entry is getting truncated to:
<object width=

Apparently it doesn't like the "

I tried to do a Replace to make it "" but can't figure out the correct way to code it

Thanks.

This topic has been closed for replies.

A

Anonymous

Hi getziggy ,

I would still strip the URL out if I were you and put the code in at run time as suggested above. If you are worried about users not being able to customize the code, how about creating some kind of small interface for the user to select what options they want. e.g. a form with select lists saying something like "display full screen?" then have a TRUE or FALSE select box.

If you go along that route, you'll find that you will not only have more control, but also be a lot more secure from malicious attacks - cross site scripting etc. Because the code will be executed as they want it to, it leaves a whole host of potential security problems.

Also, what if someone messes up the code by accident and doesn't realise? The video wont display. Stripping the URL and building the code at run time will ensute this doesn't happen.

Also, doing something like this:

<cfset YouTubeDisplay = "#replace(qMainQuery.Image1URL,"youtubeobject","object", "all")#">

Is a little bit hacky. What I mean is, how are you going to be sure nothing else includes the same words you are replacing? If so, things could get really messed up.

Food for thought!

Good luck,
Michael.

C

chrome88Author

Inspiring

quote:

Originally posted by: Kapitaine
Hi getziggy ,

I would still strip the URL out if I were you and put the code in at run time as suggested above. If you are worried about users not being able to customize the code, how about creating some kind of small interface for the user to select what options they want. e.g. a form with select lists saying something like "display full screen?" then have a TRUE or FALSE select box.

If you go along that route, you'll find that you will not only have more control, but also be a lot more secure from malicious attacks - cross site scripting etc. Because the code will be executed as they want it to, it leaves a whole host of potential security problems.

Also, what if someone messes up the code by accident and doesn't realise? The video wont display. Stripping the URL and building the code at run time will ensute this doesn't happen.

Also, doing something like this:

<cfset YouTubeDisplay = "#replace(qMainQuery.Image1URL,"youtubeobject","object", "all")#">

Is a little bit hacky. What I mean is, how are you going to be sure nothing else includes the same words you are replacing? If so, things could get really messed up.

Food for thought!

Good luck,
Michael.

Adding the ability to post YouTube videos is added functionality to an already existing application to which I have to deploy over 60+ websites, for which I am being compensated nada, so even though it is a bit "hacky", it is a solution that I am going to be able to deploy with the least amount of pain. If I were building it from the ground up, I would probably take a different approach.

During the publishing process, the clients have a chance to preview their embed, so if it is not copied and pasted correctly, they will know.

N

Newsgroup_User

Inspiring

i believe your second 'youtubeobject' should actually be replaced with
'embed' for displaying, not 'object'.
but the bigger question is: why do you need to store the whole html code
when you can just store the url to the clip and write out the full html
code at display time? i understand that your users will probably
copy/paste the full youtube link, but you can easily parse out just the
src attribute from it using a simple regex...

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

C

chrome88Author

Inspiring

quote:

Originally posted by: Newsgroup User
i believe your second 'youtubeobject' should actually be replaced with
'embed' for displaying, not 'object'.
but the bigger question is: why do you need to store the whole html code
when you can just store the url to the clip and write out the full html
code at display time? i understand that your users will probably
copy/paste the full youtube link, but you can easily parse out just the
src attribute from it using a simple regex...

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Thanks. I did catch that yesterday and am using a replace code in the final display:
<cfset YouTubeDisplay = "#replace(qMainQuery.Image1URL,"youtubeobject","object", "all")#">
<cfset YouTubeDisplay = "#replace(YouTubeDisplay,"object src=","embed src=", "all")#">
<div style="margin:10px 20px;"><cfoutput>#YouTubeDisplay#</cfoutput></div>

As far as storing only the URL, there are some advanced users using this who may want to change some of the YouTube code once such as allowFullScreen to false, etc., so I don't want to limit them in their ability to make those changes.

C

chrome88Author

Inspiring

Answering my own question

by converting the input to HTML format (simply by using a <cfinput, not an <input tag) the value now displays as:

<input name="Image1URL" type="hidden" value="<youtubeobject width="425" height="344"><param name="movie" value=" http://www.youtube.com/v/2X7xFIhTIDc&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><youtubeobject src=" http://www.youtube.com/v/2X7xFIhTIDc&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object>" class="form" id="Image1URL" />

which MySql interprets as:
<youtubeobject width="425" height="344"><param name="movie" value=" http://www.youtube.com/v/2X7xFIhTIDc&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><youtubeobject src=" http://www.youtube.com/v/2X7xFIhTIDc&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object>

btw: the reason object is displaying as youtubeobject in the code above is because when passing the embed code from one page to another, CF changes the word Object to InvalidTag. When the variable is passed, I am converting it to either object if it intended for display, or youtubeobject when it is inserted into the db

<cfset YouTubeDisplay = "#replace(FORM.YouTubeEmbed,"InvalidTag","object", "all")#">

C

craigkaminsky

Inspiring

In terms of a straight-forward regexp, you could just use:
<cfset formattedStr = ReReplaceNoCase(FORM_VALUE, '\"\, \""','ALL') />

That said, I am not certain using a regexp such as the one above will alleviate the problem you are having inserting strings with double-quotes into MySQL. What does your cfquery code look like?

Do you code your insert in one of the following two styles?
1. <cfquery ..>
insert into table_name(field)
values('#cfstring#') ***note the single quotes around my variable
</cfquery>
2. <cfquery ..>
insert into table_name(field)
values(<cfqueryparam value="#cfstring#" cfsqltype="cf_sql_varchar" />)
</cfquery>

If you are using something along the lines of the code immediately following this paragraph (using double quotes around the variable to be inserted), I should think that MySQL would interpret the next double quote (the first double quote being the double quote to the left of the variable in your cfquery) as an instructions to terminate that portion of the SQL statement.
<cfquery ..>
insert into table_name(field)
values("#cfstring#") ***note the double quotes around my variable
</cfquery>

In general, when I insert strings into varchar fields in MySQL, I use either cfqueryparam (I try to almost always use this) or single quotes around varchar/string values.

N

Nathan_Mische

Inspiring

What if you change the input field to:

<input name="Image1URL" type="hidden" value='<object width="425" height="344"><param name="movie" value=" http://www.youtube.com/v/2X7xFIhTIDc&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><object src=" http://www.youtube.com/v/2X7xFIhTIDc&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object>' />

A

Anonymous

Are you using <cfqueryparam /> in your INSERT SQL code? Show us the insert SQL if you can. You should use this tag if you aren't already.

Also, whats the datatype of the column you are inserting it into? If it is going to be a very long string (like it already is) then your column needs to be set to TEXT in MySQL. It may be truncating it because the data type is set to a certain length. TEXT will solve this.

Mikey.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded