1

This is an odd problem for me. When I am using web site on English, html_entity_decode is working fine, but when I change language, the functions is kinda not working - HTML tags can be seen.

I am using trim(htmlentities($this->input->post('page_srb'))) to insert into DB, and <?php echo html_entity_decode($page->page) ?> to show page. What seems to be a problem?

This is sample of the page when I am using English language (at the moment I am using same text) enter image description here

This is the same sample of the page when I change to Serbian language:

enter image description here

Sasha
  • 8,521
  • 23
  • 91
  • 174
  • Your code omits the key point: how you tell PHP that your data is in English or Serbian. – Álvaro González Sep 10 '13 at 10:39
  • 1
    Better off providing the exact code your using for input and output of the text. everything from where the POST data first gets picked up to the db insert. Then everything from db select to echo/print – Lee Sep 10 '13 at 10:41
  • I am using session to do that. Default language is English, and latter on I can change language via function created for that. – Sasha Sep 10 '13 at 10:41
  • @Sasha - Are you aware that PHP cannot understand human languages? You are changing the text encoding somehow (or possibly relying on default encodings all the way through). If you don't explain how, we cannot tell what's wrong. – Álvaro González Sep 10 '13 at 10:51
  • I guess that you are not applying `html_entity_decode` when changing the language!!! –  Sep 10 '13 at 10:52
  • @Akam **html_entity_decode** is always applied. Alvaro I am looking trough the code, but as far as I can see, I am relying on default encodings all the way through as you say. – Sasha Sep 10 '13 at 10:54
  • Then I suggest you switch to UTF-8: [UTF-8 all the way through](http://stackoverflow.com/questions/279170/utf-8-all-the-way-through) – Álvaro González Sep 10 '13 at 11:02

1 Answers1

2

Never mix view and storage functions, it's bad practice, something i spent years forcing out of my peers in dev agencies.

Store your HTML in your database with the correct collation (utf-8?) then use html_entities_encode whenever you don't wish to output valid HTML for the browser to render (i.e. by default, whatever comes out of the database will be un-escaped/un-encoded that the browser will render).

By doing this,it allows clear separation and guidelines. Classic example is "what if someone edits your text directly in the DB?", you might say that never happens, but it MIGHT at some point, or someone might be able to insert data into that table via another form that doesn't encode data.

Define some programming rules and follow them. If your inserting data, then focus on protecting the store, if outputting, focus on protecting the client. Consistency will pay off in the long run.

Lee
  • 10,496
  • 4
  • 37
  • 45
  • I am a bit lost here. You are saying that I should not store HTML in DB with htmlentities function, if I understand right? – Sasha Sep 10 '13 at 10:52
  • yes @Sasha: right, save HTML as you get it from user or the source, but when you want to output it, then you can encode or filter it to avoid XSS attack –  Sep 10 '13 at 10:53
  • Nope im saying that you SHOULD NOT `html_entities` the HTML when storing it in the DB, and since you want the browser to render the HTML correctly, you SHOULD NOT `html_entities_decode` it either. – Lee Sep 10 '13 at 10:53
  • Well, I understand first part :D. And now of to work and change the code :). Thank you for the info about this :). Did not now that. – Sasha Sep 10 '13 at 10:56