I am using CKEditor to insert text into a MySQL database. I have noticed that my installed CKEditor is escaping all HTML elements when the data reaches the database.
Therefore the following is what I am getting in the database after I have inserted the text with CKEditor:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"
"'" (single quote) becomes ''
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
I would rather disable the CKEditor HTML escaping completely, and rely on my PHP script to handle the HTML escaping using PHP's htmlspecialchars.
Another good reason for me to disable CKEditor's HTML escaping ability is that I want to preserve the written content in the MySQL database. In other words I want to keep the single quotes and double quotes in the database, and then I want to have PHP sanitise the HTML elements with htmlspecialchars when I print the database data to page using MySQL select statement.
Can anybody tell me how to disable html escaping within CKeditor? Your input or any advice on the above would be much appreciated.
Here you go:
config.entities
config.basicEntities
Related
How can I make it possible for users to use the '"' (double quote) inside a textfield...
Whenever I do use double-quote in the field (the value) then when receiving the variable in my PHP file with:
$text=mysql_real_escape_string($_POST['subject']);
and then echo it, I get a string which is escaped properly, but the string stops exactly before the double-quote!
I dont want it to stop because of the double-quote though!
Javascript is used to validate the text-field so its not empty, maybe I should do something more with javascript when validating, and altering the value, so php can get the correct value including the double quotes?
Thanks
UPDATE
CODE:
$headline= mysql_real_escape_string($_POST['headline']);
echo htmlentities($headline);
I have tried merging the two above, will only give the same results.
NOTE: I have ALSO TRIED adding ENT_QUOTES into the htmlentities function...
Unformatted string as entered:
+ , . ; : - _ space & % ! ? = # * ½ # / \ [ ]< > " ' hej hej
will output this when echoing it:
+ , . ; : - _ space & % ! ? = # * ½ # / \\ [ ]< >
You have to use htmlspecialchars($str, ENT_QUOTES) or htmlentities($str, ENT_QUOTES) to convert the quotes to the HTML entity ". Those function also take care of other characters that should be encoded.
mysql_real_escape_string() is only meant for escaping single quotes in database queries, so that you can correctly enter strings with single quotes into your database (and avoid SQL injections).
EDIT: Added parameters. Thanks to micahwittman
The reason it isn't working when you're outputting it into the input is because the value is being truncated at the quote. You'll need to use htmlspecialchars() on the output.
You're mixing up two things: mysql_real_escape_string is used to prepare strings for storing in a mysql database. htmlentities is used to prepare strings for echoing in the browser. Both are important to do, but calling one after the other on the same string can't be expected to work. Do something like the following:
// Copy string after escaping for mysql into $db_headline
$db_headline= mysql_real_escape_string($_POST['headline']);
// Copy string after escaping for page display into $html_headline
$html_headline = htmlentities($_POST['headline']);
// Store the headline in the database
...
?>
<input type="text" name="headline" value="<?php echo $html_headline ?>" />
...
Its not the job of the JS to modify the input string, server should make sure it can accept what its getting regardless.
You could escape out the double quotes with another value either Assci symbol or HTML " etc. before you pass it into your mysql escape function?
I'm here with a question on a project; I try to explain as best as possible:
I have a text area in which the user can write whatever they want.
The problem is that they can try for some kind of malicious code (js xss, for example)
I was using the function:
echo htmlspecialchars($topic->getMessage(), ENT_QUOTES, 'UTF-8');
I thought I had solved the problem, but I remembered that the user can type HTML, and it is allowed.
Is there any function already made for running HTML and others stay as text?
As per PHP manual, htmlspecialchars performs the following translations:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
"'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
Your HTML actually does get translated into safe characters.
After reading your question again (for it's not very clear), I thought maybe you want the HTML tags actually stay as HTML tags, meaning <b>bold</b> wouldn't get translated into <b>bold</b>
To do so, you may want to use str_replace after htmlspecialchars:
$result = htmlspecialchars($topic->getMessage(), ENT_QUOTES, 'UTF-8');
$result = str_replace(array("<",">"), array("<",">"), $result);
echo $result;
Or you could just translate &, ' (single quote) and " (double quote) via str_replace:
echo str_replace(array("&", "\"", "'"), array("&", """, "'"), $topic->getMessage());
Possibilities are endless.
htmlspecialchars is ok but not completely safe to insert into mysql.
For mysql it's better to use prepared statements, such as explained here:
http://bobby-tables.com/php.html
For output in the page (without inserting on database), htmlspecialchars is enough... provided you don't decode those before printing.
Like CBroe suggested, You could use http://htmlpurifier.org/ to clean the html and avoid garbage in your database, but you still must use prepared statements.
Also read: http://php.net/manual/en/pdo.prepared-statements.php
I'm running this exact query from PHP:
UPDATE commentedText SET title='§2.', content='<div class=\"pageParagraph\"><p>Test</p>\n</div>', last_changed='1430422172', image_banner_url='', active='', comments='[{"from":"0","to":"0","id":"1","CommentedText":"","comment":"New test with \"test\" :d"}]' WHERE id='5541d52beb2ea' AND appId='MyAppID' LIMIT 1
However when I read the row that was updated (either via PHP or MySQL Workbench), the slashes are gone. See for example
<div class=\"pageParagraph\"[..]
which is saved to the table as
<div class="pageParagraph"[..]
How come the slashes disappear?
They are disappearing before they even get to MySQL -- PHP is seeing the backslash as an escape for the double quote.
"\""
creates a string "
To keep the backslash use
"\\\""
The first escapes the second, and the third escapes the quote.
Mysql also uses backslash escapes for strings. So to use it in a query, you need to have it escaped yet again.
"\\\\\""
PHP's string will be \\"
Which in MySQL will create a string \"
Use proper escaping when dealing with queries. Applying things like addslashes() are easily defeated.
Depending on your library, mysql_real_escape_string(), mysqli_real_escape_string(), or best yet, prepared statements.
These methods of escaping will not modify the original data, so you don't have to worry about removing the escaping characters on render.
I have textarea and i store it in mysql.
some special below when i up to mysql and load it to my area working well
!##$%^&*()_+-=~<>?{}[]|*-+/:;.,"`
(enter) character done with upload to mysql but not to reload. I try to reload with
str_replace("\n", "\\n",$string);
and it working well
When i up to mysql some special below characters not working
\'
I try typing double character above it work for upload to mysql but not to reload
typing '' to mysql ' but i want typing ' to mysql '
How can i work with some error charactor above (up and reload) with best way. thanks
Update my way
When i up to mysql i using
addslashes($string)
and when i reload i using
str_replace("\n", "\\n",addslashes($string))
It's done with my case thanks all
Try htmlentities with ENT_QUOTES
Also, "\n" is a one char. You have to replace it with your code. But also you must do back convert when saving.
http://www.php.net/manual/en/function.htmlentities.php
echo htmlentities($str, ENT_QUOTES);
might work but subject to mysql escaping, so a possibly better solution
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
/.htaccess
php_value magic_quotes_gpc off
will prevent php auto-adding the slashes, you can then add them in sql with
mysql_real_escape_string()
in your sql statement
and removing them upon read [for textbox] with
stripslashes()
http://www.php.net/manual/en/function.stripslashes.php
to display in a DIV you'd have to htmlentities() as explained above
How can I make it possible for users to use the '"' (double quote) inside a textfield...
Whenever I do use double-quote in the field (the value) then when receiving the variable in my PHP file with:
$text=mysql_real_escape_string($_POST['subject']);
and then echo it, I get a string which is escaped properly, but the string stops exactly before the double-quote!
I dont want it to stop because of the double-quote though!
Javascript is used to validate the text-field so its not empty, maybe I should do something more with javascript when validating, and altering the value, so php can get the correct value including the double quotes?
Thanks
UPDATE
CODE:
$headline= mysql_real_escape_string($_POST['headline']);
echo htmlentities($headline);
I have tried merging the two above, will only give the same results.
NOTE: I have ALSO TRIED adding ENT_QUOTES into the htmlentities function...
Unformatted string as entered:
+ , . ; : - _ space & % ! ? = # * ½ # / \ [ ]< > " ' hej hej
will output this when echoing it:
+ , . ; : - _ space & % ! ? = # * ½ # / \\ [ ]< >
You have to use htmlspecialchars($str, ENT_QUOTES) or htmlentities($str, ENT_QUOTES) to convert the quotes to the HTML entity ". Those function also take care of other characters that should be encoded.
mysql_real_escape_string() is only meant for escaping single quotes in database queries, so that you can correctly enter strings with single quotes into your database (and avoid SQL injections).
EDIT: Added parameters. Thanks to micahwittman
The reason it isn't working when you're outputting it into the input is because the value is being truncated at the quote. You'll need to use htmlspecialchars() on the output.
You're mixing up two things: mysql_real_escape_string is used to prepare strings for storing in a mysql database. htmlentities is used to prepare strings for echoing in the browser. Both are important to do, but calling one after the other on the same string can't be expected to work. Do something like the following:
// Copy string after escaping for mysql into $db_headline
$db_headline= mysql_real_escape_string($_POST['headline']);
// Copy string after escaping for page display into $html_headline
$html_headline = htmlentities($_POST['headline']);
// Store the headline in the database
...
?>
<input type="text" name="headline" value="<?php echo $html_headline ?>" />
...
Its not the job of the JS to modify the input string, server should make sure it can accept what its getting regardless.
You could escape out the double quotes with another value either Assci symbol or HTML " etc. before you pass it into your mysql escape function?