/    Sign up×
Community /Pin to ProfileBookmark

Entering HMTL in mysql db and displaying it getting it out

Copy linkTweet thisAlerts:
Feb 03.2010

I have a textarea field and I want users to be able to enter some basic HTML, for example, <br /> <strong> etc.

I then want to store this HTML in a mysql database.

When I retrieve the data out of the database, I want the HTML to be working. So if in the database <strong>My Name</strong> is stored, I want it to display on the page in bold text without the html tags.

Now I have tried htmlentites, htmlspecialchars, and mysql_real_escape_string to put it in the database, and the 2 html decodes to get it out.

What is honestly the best way to do what I am trying to achieve?

to post a comment
PHP

10 Comments(s)

Copy linkTweet thisAlerts:
@svidgenFeb 03.2010 — [B]mysql_real_escape_string()[/B] is for sanitizing your queries. It helps in preventing SQL injection attacks. You don't want to be without this one.

The other two functions turn things like <'s and >'s into HTML-encoded entities ( [B]&gt;[/B] and [B]&lt;[/B] ). It sounds like you want to avoid these ones.

You need to store the HTML as it is, but preferably filtered for "naughty" tags (like <script></script> tags). And, you'll want to be pretty careful about how you perform that filtering ... If you let a <script> tag slip through because your regex didn't account for weird spacing, you'll be opening your site up to novice session hijacking and other miscellaneous novice (and not-so-novice) attacks.
Copy linkTweet thisAlerts:
@waMPauthorFeb 03.2010 — So what I have done is used WYZZ on the text area box similar to a fckeditor.

I have entered the following in to the text area. I've used some simple php code but it could be harmful code


Testing This Today <?php echo 'hello';?>
[/QUOTE]

I use $listDescHTML = htmlentities($_POST['listDesc']); then store $listDescHTML in the database. The following is what is stored in the database


This Today &amp;lt;?php echo 'hello';?&amp;gt;
[/QUOTE]

Then when I display it using <?= htmlspecialchars_decode($list['listDesc']);?>, it displays it ALL with the php code displaying

[

Testing This Today <?php echo 'hello';?>
[/QUOTE]

What do I do to make this right?
Copy linkTweet thisAlerts:
@svidgenFeb 03.2010 — To make it [I]right?[/I] What would the "right" output look like?
Copy linkTweet thisAlerts:
@waMPauthorFeb 03.2010 — I have also tried using mysql_real_escape_string

I have the WYZZ on the textarea box, similar to fckeditor.

I have entered

My Test Property <?php echo 'hello';?>

in the text area.

When I submit I use the following before entering in the database


$listDescHTML = mysql_real_escape_string($_POST['listDesc']);
[/QUOTE]

This is what is stored in the database


My Test Property&nbsp; &lt;?php echo 'hello';?&gt;
[/QUOTE]

When I view the database pulled out of the database it displays properly

just as I entered it
My Test Property <?php echo 'hello';?>[/QUOTE]

But back in the text area box which I allow the user to edit, I pull the dataout of the database and display it in the box, but it displays without the additional <?php code, so I am assuming the text area box is running it?

My Test Property[/QUOTE]

Please help. I don't know what to do to fix this and be safe about it.

Thanks.
Copy linkTweet thisAlerts:
@waMPauthorFeb 03.2010 — The right output would be to have what is entered in the WYZZ textarea box, including the php code, display on the page and also back in the WYZZ box when I reload it.

With mysql_real_escape_string, it does display on the page correctly when pulled out of the database, but when I display it back in the WYZZ textarea box, the php code isn't displaying.
Copy linkTweet thisAlerts:
@svidgenFeb 03.2010 — Pass everything through [B]mysql_real_escape_string()[/B] and a [B]sanitize()[/B] function before interpolation into your insert/update query. Define your sanitize function do strip the string of "bad" HTML.

[code=php]function sanitize($html) {
// remove script open-close tags. this needs to be tested, of course ...
$rv = preg_replace("/<s*/?s*scripts*>/i", "", $html);

// ... other filters

return $rv;
} // sanitize()[/code]

Make sense?
Copy linkTweet thisAlerts:
@ericatekkaFeb 03.2010 — So you want the php code to run after its being pulled from the db? Can you show us the code that echo's out your sql tables contents.
Copy linkTweet thisAlerts:
@waMPauthorFeb 03.2010 — This is what is being stored in the database


My Test Property&nbsp; &lt;?php echo 'hello';?&gt;
[/QUOTE]

It is inserted with mysql_real_escape_string($_POST['listDesc'])

When I display it on a web page, it displays

My Text Property <?php echo 'hello';?>

This is fine!

However, I want to display this same text back in the WYZZ textarea. WYZZ is similar to a fck editor where user can enter text, make it bold, etc.

When I display the data from the database in the WYZZ text area, it doesn't display the <?php echo 'hello';?>. It just displays My Test Property

I want it to display it all in the text area box just as it was put in.

My Text Property <?php echo 'hello';?>


So how do I take make the


My Test Property&nbsp; &lt;?php echo 'hello';?&gt;
[/QUOTE]

and display it all in the textare WYZZ editor box?
Copy linkTweet thisAlerts:
@ericatekkaFeb 03.2010 — Place it in the value="<? echo $OUTPUT; ?>"
Copy linkTweet thisAlerts:
@waMPauthorFeb 03.2010 — I do....

<textarea name="listDesc" id="listDesc" cols="40" rows="7">

<?=$_SESSION['listDesc'];?>

</textarea>

But its not displaying the <?php part in the text area....
×

Success!

Help @waMP spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.26,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...