All,
I'm inserting some text from a textarea in a mySQL database. I'm using mysql_real_escape_string() to do this. I'm using stripslashes() to remove the "\" that gets inserted in front of this to display it. However when I output this it gives me the following result for something like wasn't I get wasn\\'t and if someone hits enter in my text area I get \r\n\r\n and that is also displayed.
In my database it stores correctly with a single slash and the return but it doesn't output that the same way when it's outputed. Any idea why it would be doing this?
Thanks
As long as you are double checking how your outputting data. I used.. serialize(), and unserialize(). Takes care of any special characters it seems. Have you tried that?
Related
I would like to know how its possible to stop the following HTML code from
Inserting into the column of the table
Not show up as an image
The column is VARCHAR inserted via text-box
'<img src="SOMEIMAGELOCATION.jpg" alt="STACKOVERFLOWRULES" style="width:69px;height:69px;">'
As expected I'm currently testing my points of entry where data is taken in , I guess somewhere in my query I need to prevent this?
If you don't want to store HTML, you have to convert the input-data from a string containing HTML to one that doesn't. You have a few options.
If you just want everything to come out exactly as typed, without turning into html, use the htmlentities function:
http://php.net/manual/en/function.htmlentities.php
If you just want to get rid of the HTML entirely and leave only plain text, use the striptags function:
http://php.net/manual/en/function.strip-tags.php
I'm having lots of trouble preserving the exact look of how a user types out a short paragraph.
My problem is that random slashes and html show up. When people would hit enter while typing the message, "\r\n\" would show up when it's echoed later. I tried fixing that but now when the user types an apostrophe while composing a message, it gets inserted into the database with 3 back slashes, and thus echoed later with 3 back slashes with the apostrophe. Frustrating! I want to just start over!
Here's what I do.
User types a message in an input field and hits submit.
That message gets inserted into the database with type varchar(280) via php.
That message gets echoed via php.
I've tried many different things like nlbr and strip_tags and stripslashes and mysql_real_escape_string and others. I might be using these all in a certain combination that messes it up.
So my question is what is the best way to preserve exactly how someone composes a text paragraph to be later echoed via php to look just like how they typed it?
Make sure Magic Quotes are off or, if you can't disable them, cleanse your strings from them. Read the manual for details: http://www.php.net/manual/en/security.magicquotes.php
When inserting your text into the database, escape it properly for SQL syntax once or, better, use prepared statements. See How can I prevent SQL injection in PHP? and The Great Escapism (Or: What You Need To Know To Work With Text Within Text).
When outputting to HTML, use htmlspecialchars to avoid HTML injection or plain syntax problems and afterwards use nl2br to format line breaks specifically for HTML.
That's basically it.
On the second step you need to escape it with mysql function.
But for correct outputing it you need to do following
<pre><?= htmlentities($mysqlRow['data']); ?></pre>
This will get from database result needed information and will outputs it like it is. With all spaces and tabs and html tags in it. (If user enters <html> this will output <html> like text)
i'm developing a website that has a shoutbox application,
what i want to do is how to accept if the user or a guest is inserting php tags as his/her message or shout just like want you can see on the image..
i'm using mysql_real_escape_string for the guest name and for the message..
i want php to treat that as a text and display it as a text not a tag or a code..
when i entered a shout like that, no message appears just like the shout of the (guest:3:34pm) no message displayed, and when i check my database to see if the shout is inserted.. no data inserted on the messages column of my tb_shoutbox..
i tried it on facebook chat i enter a php tag and html tag and it accept that kind of message.. how to do that..
some help please..
You need to convert certain characters (such as "<") to HTML entities. The htmlentities function can be used like so:
echo htmlentities($guest_comment, ENT_QUOTES, 'utf-8');
To build on Wayne Whitty's completely correct answer and answer on your comment on his answer:
mysql_real_escape_string is used when you want to insert a variable's data into a MySQL database using a MySQL query, without breaking the query with the variable's content.
That prevents people from doing SQL injections on your shoutbox.
htmlentities on the other hand is used when you want to stop people from breaking your PHP script (which can be very unpleasant). It encodes the string you gives it into pure html. It's like it is telling the browser that this string, whatever is in it, should be displayed right of to the user. No code parsing is done.
So to answer your question: Somewhere in your code you have a PHP line that echoes the messages from the database/file. You need to modify that line so it first encodes the message with htmlentities, then shows it to the use
You should use HTMLEntities in order to display tags as plain text.
I am inserting data into a table which contains some basic html tags, double quotes and single quotes.
I am using the following line to handle the data:
htmlentities(($_POST[content]), ENT_QUOTES);
The problem with this is that when I select this data to bring it back onto the screen, displays the actual html tags instead of rendering the html, i.e. if I use the <b>bold</b> tag, is displays it as text instead of making the text within that tag bold. If I don't use the above line, i.e.
htmlentities(($_POST[content]), ENT_QUOTES);
Then I can't insert the data into the database because the data can contain single quotes and double quotes.
How do I deal with this issue?
So basically, I should be able to insert the data into the database where single or double quotes should not cause a problem. When when rendering the data back onto the screen, it should render html tabs as they should get rendered into the browser and the quotes should be displayed as quotes in the text being rended back onto the screen.
You are inserting data into a database, not into an HTML document. Don't use htmlentities. Use whatever methods your database provides for escaping content. This should be something that uses bound parameters. Bobby-tables explains a number of different methods
$html = mysql_real_escape_string($html);
http://php.net/manual/en/function.mysql-real-escape-string.php
Make sure you have made a proper mysql connection mysql_connect before using this function.
you have to use strip_tags($str);
if you want remove only html tags.. single quote or double quote will remain...
but the problem in your case is ...you are putting lots of white space with your strings so you can perfectly use use strip_tags($str);
Putting so much HTML codes into the mysql table seems an ugly method to me, it is needed if you are adding a post but if you are saving a page which you may repopulate you may consider another way.
this is my method doing this:
Clear any html code
Put useful data into array (serialize array)
Save array into database
Repopulate array when the page is called (unserialize array)
This saved me to put <1kb data instead of 125kb
This is a good way if you are using templating like systems.
I'm having problems inserting commas (,) in my text fields in html. When I submit it to mysql, it deletes the data. How do I work with this?
I've tried mysql_real_escape_string() but that still doesn't work. I have lots of data, and I don't want to use str_replace either. Is there another alternative?
escape your message before you send it to the server, so it's stored escaped, then unescape it when you print it in your html page.
so... msgTosend = escape(whateverText);
and then when you're printing
msgToPrint = getFromDatabase(unescape(myText))
however, as the comment points out, you're obviously doing something dreadfully wrong altogether.
If you're storing strings (as it sounds) you need to be wrapping them in quotes before you store them. Once you do that no amount of commas can ruin anything. If you're not storing strings, but some other data type, then you should be breaking those out into individual variables on the server before storing anything. The potential for malice or just plain breakage is basically 100% with what it sounds like you're doing.