I have a link stored in my database, lets say it's
http://somedomain.com/page.php?username=tom&surname=smith
When I bring this back to html, I get an xhtml error because of the &
How do I convert the & to an &
Also, I have some links in the database which already have & instead of &
So, how do I convert & when required, but not convert & to &
Don't store escaped/encoded text. You never know what format the text will be required to be in when you retrieve it. If you store it URL-encoded, but you have to insert it into an HTML document,then you have to undo the url encoding and switch to HTML encoding. Which is a waste. Best to store it in 'raw' format and convert as needed at the time you need it.
Use htmlspecialchars() to escape/encode the XML/HTML metacharacters prior to inserting into your XML document.
You can use htmlentities.
The easiest way would be do replace all & to &, and then all & to $#38;, such as
$content = str_replace("&", "&", $content);
$content = str_replace("&", "$#38;", $content);
But you should not store data like that in your database.
Related
I have some text that I will be saving to my DB. Text may look something like this: Welcome & This is a test paragraph. When I save this text to my DB after processing it using htmlspecialchars() and htmlentities() in PHP, the sentence will look like this: Welcome & This is a test paragraph.
When I retrieve and display the same text, I want it to be in the original format. How can I do that?
This is the code that I use;
$text= htmlspecialchars(htmlentities($_POST['text']));
$text= mysqli_real_escape_string($conn,$text);
There are two problems.
First, you are double-encoding HTML characters by using both htmlentities and htmlspecialchars. Both of those functions do the same thing, but htmlspecialchars only does it with a subset of characters that have HTML character entity equivalents (the special ones.) So with your example, the ampersand would be encoded twice (since it is a special character), so what you would actually get would be:
$example = 'Welcome & This is a test paragraph';
$example = htmlentities($example);
var_dump($example); // 'Welcome & This is a test paragraph'
$example = htmlspecialchars($example);
var_dump($example); // 'Welcome & This is a test paragraph'
Decide which one of those functions you need to use (probably htmlspecialchars will be sufficient) and use only one of them.
Second, you are using these functions at the wrong time. htmlentities and htmlspecialchars will not do anything to "sanitize" your data for input into your database. (Not saying that's what you're intending, as you haven't mentioned this, but many people do seem to try to do this.) If you want to protect yourself from SQL injection, bind your values to prepared statements. Escaping it as you are currently doing with mysqli_real_escape_string is good, but it isn't really sufficient.
htmlspecialchars and htmlentities have specific purposes: to convert characters in strings that you are going to output into an HTML document. Just wait to use them until you are ready to do that.
Im having a problem displaying certain data with PHP from the database.
How its currently showing - "SSA's"
How it should show "SSA's"
HTML Meta Tag
meta charset="UTF-8">
PHP Code
$article_title = html_entity_decode(mb_convert_encoding(stripslashes($r->ArticleTitle), "HTML-ENTITIES", 'UTF-8'));
You can decode by using these two methods html_entity_decode() or htmlspecialchars_decode()
Basic Example:
$string = html_entity_decode("SSA's");
echo $string; // result SSA's
$string = htmlspecialchars_decode("SSA's");
echo $string; // result SSA's
Remove the html_entity_decode function, as you are double encoding HTML-ENTITIES
And as #ChrisBanks pointed out, you also don't need stripslashes
You need to call html_entity_decode again because the data is being stored as double encoded and remove the stripslashes.
$article_title = html_entity_decode(html_entity_decode(mb_convert_encoding($r->ArticleTitle, "HTML-ENTITIES", 'UTF-8')));
You might want to investigate how the data is being stored in the database as double-encoded in the first place. Perhaps htmlentities is being called twice somewhere.
To add on to the comment:
You shouldn't store data HTML encoded unless for some reason you really and truly need to (there might be some cases you're required to). It is only on output and rendering on a webpage do you want to use htmlentities.
I just want to add in tag any string.
I am using this code to escape string:
$name = $this->_dom->createElement('name', htmlspecialchars($userName, ENT_COMPAT,'utf-8'));
$item->appendChild($name);
I got a problem, one of my users put to name field some specific symbols, and whole xml feed become broken. How i must escaping string?
Thank for help and sorry for my poor English...
I think adding the xml node's value by using createTextNode instead of passing it as a parameter to createElement may solve your problem.
My solution:
$title = $this->_dom->createElement('title',
htmlspecialchars($playlist->getTitle(),
ENT_DISALLOWED, 'utf-8')
);
And when you output xml, you must strip � (REPLACEMENT CHARACTER) see this related link about ENT_DISALLOWED like:
echo str_replace('�', '', $this->_dom->saveXML());
This way allows us to display any string with html entities and/or special chars.
I have an issue with the special characters. For ex. In the database is written "A & A" (database is set on utf8-unicode-ci).
I am retrieving in autosugest list the values correctly with:
while ($row = mysql_fetch_array($result)) {
$keywords = htmlspecialchars($row['name']);
echo "<keywords>". $keywords ."</keywords>";
}
When I click to select the "A & A" in the input field is filled as A & amp; A
the header is set on :<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
Can you please let me know how to display the special character?
If you want to convert from A & A to A&A, use htmlspecialchars_decode on the text.
If you want to convert from A&A to A & A use htmlspecialchars.
In your case removing htmlspecialchars operation on the text pulled from your database will do.
Since your issue appears to be with the & character being replaced with &, maybe running something like $text = str_replace("&", "&", htmlspecialchars($text)); will work better for you, and prevents XSS.
If you have "A & A" in the database, htmlspecialchars will do that.
Remove htmlspecialchars.
Its better use rawurlencode before you inserting the value to database. Then whenever you fetching the value, use rawurldecode. I think it may solve your problem.
rawurldecode($row['name']);
Check this http://php.net/manual/en/function.rawurlencode.php
I am using tinymce editor to have html page and then insert it in mysql.
I tried this:
$esdata = mysql_real_escape_string($data);
it is working for all html except images. If I have hyperlink like:
http://www.abc.com/pic.jpg
then it makes it somewhat very obscure and the image doesn't appear.
INPUT
<img src="../images/size-chart.jpg" alt="Beer" />
OUPUT
<img src="\""images/size-chart.jpg\\"\"" alt="\"Beer" />
Try to use urlencode and urldecode to escape the string.
As Christian said it is not used for the sake of DB but to keep the things as it is. So you can also use urlencode and urldecode.
For Ex:
//to encode
$output = urlencode($input);
//to decode
$input = urldecode($output);
You shouldn't over-escape code before you send it to DB.
When you escape it, it's done in a way that it is stored in the DB as it was originally. Escaping is not done for the sake of the DB, but for the sake of keeping the data as it was without allowing users to inject bad stuff in your sql statements (prior to sending the stuff in the DB).
You should use htmlspecialchars function to encode the string and htmlspecialchars_decode to display the string back to html