1

I have a database set up to store user input and it then displays what they put on the page.

$input = mysql_real_escape_string(stripslashes(addslashes($_POST["input"])));
//Later on
echo '<div>'.$input.'</div>';

I went to the textarea and typed in some basic php code "<?php echo 'blahblah'; ?>," and it submitted to the database normally, but the homepage doesn't display any of it. No 'blahblah,' no tags. I want it to display the entire "<?php echo 'blahblah'; ?>" so people can post whatever they want.

IMSoP
  • 89,526
  • 13
  • 117
  • 169
  • 3
    1) start using [prepared statements and bound parameters](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) instead of whatever that thing is your are currently using. 2) use `htmlspecialchars()` to display the data – PeeHaa Sep 28 '13 at 16:37

2 Answers2

0

Escaping needs to be appropriate for its context.

  • When inserting into the database, use mysql_real_escape_string (or migrate to the newer mysqli_real_escape_string, or to PDO) or read up on parameterized queries (AKA prepared statements).
  • When displaying in HTML, use htmlspecialchars or htmlentities.

Never use both in one go, because you will get in a mess, and never use stripslashes(addslashes(...)), because that makes no sense.

IMSoP
  • 89,526
  • 13
  • 117
  • 169
-1

You should try the following:

echo '<div>'.htmlentities($input).'</div>';

It converts special characters like < and > to html entities so they are displayed correctly in the browser.

dajavax
  • 3,060
  • 1
  • 14
  • 14