I have saved some information in database with MySQL, now i want to show them, cause it contains some tags like <div>, <p>, etc. I just want them showed as raw html code, anyone can tell me how? i try to use `html_entity_decode(), but it does not work.
Example:
<div><b>Prénom/Nom : </b>tantantan tan</div>
<div><b>Pseudonyme : </b>nickname</div>
<div><b>Résidence principale : </b>69001 Lyon 1er</div>
<div><b>Autre résidence : </b> Place bellecours 69002 Lyon 2e</div>
====== in fact , i need to do in this way.
#using serialize() method
$data = serialize($_SESSION);
$sql = "Insert into sessioninfo `data` values('$data')";
and then
# I assume you can retrieve the data from database and assign to the following variable
$data = unserialize($row['data']);
perfectly resolve my problem. thanks everyone.
This is not an mysql_real_escape_string data but html_specialchars() encoded data
you can do the reverse with htmlspecialchars_decode()
Try html_entity_decode:
echo html_entity_decode($string);
Would recommend not to apply htmlspecialchars when you save the database.
The sanitize should be applied when sending output, if necessary.
Related
I have a PHP project that allows users to submit an article / tutorial and before I insert the data to my database I do
$content1 = htmlspecialchars($userscontent);
$content = htmlentities($content1, ENT_QUOTES);
for safety purposes and when I output the data from my database I decode it. Now I want that text to be structured and not just written on one line and I also want to add the ability to add images to the articles and I have no idea which is the best way to go about this.
Any help is appreciated.
Could you not just use the decode?
$result1 = html_entity_decode($result, ENT_QUOTES);
$result = htmlspecialchars_decode($result1);
References:
Html entity decode
Htmlspecialchars decode
Although, I would definitely recommend doing what #CD001 says and use the HtmlPurifier library.
I have a form where I can also write HTML tags. I must save this textarea preserving every single HTML tag. So here's the code:
foreach($_POST["comment"] AS $key => $value)
{
mysql_query("UPDATE comments SET title= '".$value["title"]."', comment = '".$value['comment']."' WHERE id = '".$value["id"]."'");
}
When I try to save this:
<b>Hello</b>
In MySQL I get this result:
<b>Hello</b>
I must keep every single HTML as it is. If I write <b> I must save exactly <b> in database. I tryed escaping, html etities, quotes, strip slashes (...) but this guy keep saving everything in the wrong way.
p.s. Before you ask yes, description field is TEXT tupe with UTF-8 encoding.
Have you tried using http://php.net/manual/en/function.htmlspecialchars-decode.php on the mentioned value? This should do exactly what you're asking.
try running:
$sStr = '<b>Hello</b>';
echo htmlspecialchars_decode($sStr);
And it will be encoded properly. Feeding that to the database stores the value correct.
Also, but this is more of a side-notice, you really shouldn't save post data without validating the input. I do assume this is just a quick example and not production code? However, just a suggestion.
You need to escape the entry. If you are using the mysql method, you need the mysql_escape_string function like:
$string = mysql_escape_string("<br>Hello</br>");
I have a URL that contains a department name that will pull records from the database.
The URL looks like this: submissions.php?department=Settings,%20Security%20&%20Payments which is the equivalent of Settings, Security & Payments
My query needs to pull records from the table where the department is equal to Settings, Security & Payments.
How can convert that GET variable back to what I would expect it to be?
I tried html_entity_decode but it ignores the & and only gave me everything prior to that.
Whats the best way to do that?
Side note, if it was my data I would make it simple and pull it by ID but we dont have a table that has ID's for the departments.
Try urldecode()
You can see the manual here. http://uk3.php.net/urldecode
<?php
$string = "submissions.php?department=Settings,%20Security%20&%20Payments";
$decoded = urldecode($string);
echo "Original string: $string\n";
echo "Decoded string: $decoded\n";
?>
http://codepad.org/Bq1Gt30s
Use urldecode($your_URLstring)
I'm storing HTML and text data in my database table in its raw form - however I am having a slight problem in getting it to output correctly. Here is some sample data stored in the table AS IS:
<p>Professional Freelance PHP & MySQL developer based in Manchester.
<br />Providing an unbeatable service at a competitive price.</p>
To output this data I do:
echo $row['details'];
And this outputs the data correctly, however when I do a W3C validator check it says:
character "&" is the first character of a delimiter but occurred as data
So I tried using htmlemtities and htmlspecialchars but this just causes the HMTL tags to output on the page.
What is the correct way of doing this?
Use & instead of &.
What you want to do is use the php function htmlentities()...
It will convert your input into html entities, and then when it is outputted it will be interpreted as HTML and outputted as the result of that HTML...For example:
$mything = "<b>BOLD & BOLD</b>";
//normally would throw an error if not converted...
//lets convert!!
$mynewthing = htmlentities($mything);
Now, just insert $mynewthing to your database!!
htmlentities is basically as superset of htmlspecialchars, and htmlspecialchars replaces also < and >.
Actually, what you are trying to do is to fix invalid HTML code, and I think this needs an ad-hoc solution:
$row['details'] = preg_replace("/&(?![#0-9a-z]+;)/i", "&", $row['details']);
This is not a perfect solution, since it will fail for strings like: someone&son; (with a trailing ;), but at least it won't break existing HTML entities.
However, if you have decision power over how the data is stored, please enforce that the HTML code stored in the database is correct.
In my Projects I use XSLT Parser, so i had to change to (e.g.). But this is the safety way i found...
here is my code
$html = trim(addslashes(htmlspecialchars(
html_entity_decode($_POST['html'], ENT_QUOTES, 'UTF-8'),
ENT_QUOTES, 'UTF-8'
)));
And when you read from DB, don't forget to use stripslashes();
$html = stripslashes($mysq_row['html']);
I posted this question last week, but I wasn't very clear on what was needed. So I'm reposting right now.
I have a string stored in a database, which looks something like this:
<5u79cfda 4d01ga3a 11c833f9 7b52df2a 7g210252 e21b01fa a73d3463 9ge0e412>
I'm trying to insert this into a web address, but needs to be encoded properly for it to work. I'm running a query to obtain the script:
$result = mysql_query("SELECT cPushID FROM tblUsers WHERE intUserID='20' AND Length(cPushID) > 70");
$pid = mysql_fetch_row($result);
Then trying to insert it into this web address to be executed:
file_get_contents("http://domain/test.php?msg='Test!'&to=$pid");
How do I properly insert this string into the web address so it will be read properly upon execution.
Thanks for your help.
Use urlencode.
How about urlencode?
$encoded = urlencode($some_string");
Pass that encoded string to file_get_contents
If you ever need to decode it, use urldecode()
http://php.net/manual/en/function.urlencode.php
You need to urlencode() your query string in order to safely encode those spaces (and possible angle brackets as well?!)
file_get_contents("http://domain/test.php?msg='Test!'&to=".urlencode($pid));
The query string is automatically decoded when you read $_GET['pid']