I have an issue. I have a column in mysql database like
<p><strong>WELCOME</strong></p>
<p><strong>About Me</strong>
Now I want to fetch this in my php page. But when I am fetching, it doesn't show bold text, only normal text.
I am using
html_entity_decode($content,0,1649)."...");
It sounds like what is happening is that you have some other code that is escaping your data prior to being output for HTML.
This is a good thing in most cases. You don't want HTML with <script> tags and what not being allowed in your data from users. If anything, you don't want < and > to be misinterpreted.
However, if you do want to allow HTML, you need to modify whatever is outputting your HTML to not escape this particular variable.
Related
I would like to know how its possible to stop the following HTML code from
Inserting into the column of the table
Not show up as an image
The column is VARCHAR inserted via text-box
'<img src="SOMEIMAGELOCATION.jpg" alt="STACKOVERFLOWRULES" style="width:69px;height:69px;">'
As expected I'm currently testing my points of entry where data is taken in , I guess somewhere in my query I need to prevent this?
If you don't want to store HTML, you have to convert the input-data from a string containing HTML to one that doesn't. You have a few options.
If you just want everything to come out exactly as typed, without turning into html, use the htmlentities function:
http://php.net/manual/en/function.htmlentities.php
If you just want to get rid of the HTML entirely and leave only plain text, use the striptags function:
http://php.net/manual/en/function.strip-tags.php
I'm having lots of trouble preserving the exact look of how a user types out a short paragraph.
My problem is that random slashes and html show up. When people would hit enter while typing the message, "\r\n\" would show up when it's echoed later. I tried fixing that but now when the user types an apostrophe while composing a message, it gets inserted into the database with 3 back slashes, and thus echoed later with 3 back slashes with the apostrophe. Frustrating! I want to just start over!
Here's what I do.
User types a message in an input field and hits submit.
That message gets inserted into the database with type varchar(280) via php.
That message gets echoed via php.
I've tried many different things like nlbr and strip_tags and stripslashes and mysql_real_escape_string and others. I might be using these all in a certain combination that messes it up.
So my question is what is the best way to preserve exactly how someone composes a text paragraph to be later echoed via php to look just like how they typed it?
Make sure Magic Quotes are off or, if you can't disable them, cleanse your strings from them. Read the manual for details: http://www.php.net/manual/en/security.magicquotes.php
When inserting your text into the database, escape it properly for SQL syntax once or, better, use prepared statements. See How can I prevent SQL injection in PHP? and The Great Escapism (Or: What You Need To Know To Work With Text Within Text).
When outputting to HTML, use htmlspecialchars to avoid HTML injection or plain syntax problems and afterwards use nl2br to format line breaks specifically for HTML.
That's basically it.
On the second step you need to escape it with mysql function.
But for correct outputing it you need to do following
<pre><?= htmlentities($mysqlRow['data']); ?></pre>
This will get from database result needed information and will outputs it like it is. With all spaces and tabs and html tags in it. (If user enters <html> this will output <html> like text)
i'm developing a website that has a shoutbox application,
what i want to do is how to accept if the user or a guest is inserting php tags as his/her message or shout just like want you can see on the image..
i'm using mysql_real_escape_string for the guest name and for the message..
i want php to treat that as a text and display it as a text not a tag or a code..
when i entered a shout like that, no message appears just like the shout of the (guest:3:34pm) no message displayed, and when i check my database to see if the shout is inserted.. no data inserted on the messages column of my tb_shoutbox..
i tried it on facebook chat i enter a php tag and html tag and it accept that kind of message.. how to do that..
some help please..
You need to convert certain characters (such as "<") to HTML entities. The htmlentities function can be used like so:
echo htmlentities($guest_comment, ENT_QUOTES, 'utf-8');
To build on Wayne Whitty's completely correct answer and answer on your comment on his answer:
mysql_real_escape_string is used when you want to insert a variable's data into a MySQL database using a MySQL query, without breaking the query with the variable's content.
That prevents people from doing SQL injections on your shoutbox.
htmlentities on the other hand is used when you want to stop people from breaking your PHP script (which can be very unpleasant). It encodes the string you gives it into pure html. It's like it is telling the browser that this string, whatever is in it, should be displayed right of to the user. No code parsing is done.
So to answer your question: Somewhere in your code you have a PHP line that echoes the messages from the database/file. You need to modify that line so it first encodes the message with htmlentities, then shows it to the use
You should use HTMLEntities in order to display tags as plain text.
I have an HTML table that displays information from a database, and one of the database fields contains a parameter list such as:
id=eff34-435-567rt-65u¬ification=5
But when I display this in the table the ¬ becomes ¬
I know that you can manually force it to print the right way by using
¬
But I would really rather be able to just use something to force the HTML to ignore the code so I can just pull the text straight from the database and print it to the table without having to do a regex to find out if there are any & and replace them with & I tried using the <pre> tag but that did not work.
Is there any way to force the HTML to print exactly what is typed for that specific td field?
Nothing practical (CDATA doesn't have browser support in text/html mode). Write proper HTML instead.
You should be running anything that comes out of the database through a conversion function to make it HTML safe anyway (to protect against XSS if nothing else). PHP has htmlspecialchars(), TT has | html. Whatever you are using should have something other then a regex.
& is the correct HTML encoding for the &. You will need to write the ¬ for it to display correctly.
If you're pulling from a database, you can use whatever programming language that is available to you to decode HTML entities for you.
For example, in PHP, you could use htmlentities or htmlspecialchars.
Try using htmlspecialchars().
most frameworks have HTML Encode functions.
in JavaScript: encode
in C# .NET: HttpServerUtility.HtmlEncode
Just run an HTMLEncode on the string before outputting it. Every server-side scripting language I know of has a built in command to do this. Not to mention that you are eventually going to run into another character that causes problems too.
ASP.NET: HttpServerUtility.HtmlEncode
PHP: htmlentities
Regex should definitely NOT be necessary.
The example web page has 2 fields and allows a user to enter a title and code. Both fields would later be embed and displayed in an HTML page for viewing and/or editing but not execution. In other words, any PHP or javascript or similar should not run but be displayed for editing and copying.
In this case, what is the best way to escape these fields before database insertion and after (for HTML display)
You need to use the function htmlspecialchars() in php
that will change any special characters (eg < and >) into their special HTML encoded characters (eg < and >). When you get these from the database and output them as HTML they will display as code, but won't harm your script or execute.
I faced with the same problem a few days back, to put the codes (javascript or PHP ) in the html in a non executable way, I used textarea, it solved the purpose.
The problem however, was with the database. I cannot use the typical escape functions with the data, as it is affecting my data, for example the tags are getting messed up.
To solve this problem, I encoded the data in base 64 format before putting it in the database. So what is happening is my JavaScript code is encoded and the resultant code is no longer a Javascript code and I can use the escape functions on this and store it in the database.
I am open to suggestions, feel free to comment.