1

I am inserting data into a table which contains some basic html tags, double quotes and single quotes.

I am using the following line to handle the data:

htmlentities(($_POST[content]), ENT_QUOTES);

The problem with this is that when I select this data to bring it back onto the screen, displays the actual html tags instead of rendering the html, i.e. if I use the <b>bold</b> tag, is displays it as text instead of making the text within that tag bold. If I don't use the above line, i.e.

htmlentities(($_POST[content]), ENT_QUOTES);

Then I can't insert the data into the database because the data can contain single quotes and double quotes.

How do I deal with this issue?

So basically, I should be able to insert the data into the database where single or double quotes should not cause a problem. When when rendering the data back onto the screen, it should render html tabs as they should get rendered into the browser and the quotes should be displayed as quotes in the text being rended back onto the screen.

oshirowanen
  • 15,297
  • 82
  • 198
  • 350

4 Answers4

3

You are inserting data into a database, not into an HTML document. Don't use htmlentities. Use whatever methods your database provides for escaping content. This should be something that uses bound parameters. Bobby-tables explains a number of different methods

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
2
$html = mysql_real_escape_string($html);

http://php.net/manual/en/function.mysql-real-escape-string.php

Make sure you have made a proper mysql connection mysql_connect before using this function.

DhruvPathak
  • 42,059
  • 16
  • 116
  • 175
  • I changed `htmlentities(($_POST[content]), ENT_QUOTES);` to `mysql_real_escape_string($_POST[content]);` and it saved a blank record into the database instead of the text I was expecting it to save... I am connecting as follows: `$connection = mysql_connect('localhost', 'user', 'pass') or die (mysql_error());` – oshirowanen Oct 21 '11 at 09:46
  • Did you have mysql_connect in your code ? If you are facing problems with this, try `addslashes` function instead. – DhruvPathak Oct 21 '11 at 09:49
  • Are you assigning the content back to variable ? `$html = mysql_real_escape_string($html)` is correct, but only doing `mysql_real_escape_string($html)` will have no effect on the $html variable – DhruvPathak Oct 21 '11 at 09:51
  • Yes, I was assigning it back to a variable but not working. However addslashes seems to be doing the trick. Thanks. – oshirowanen Oct 21 '11 at 09:55
  • Also have a look at http://stackoverflow.com/questions/534742/what-does-mysql-real-escape-string-do-that-addslashes-doesnt , to know more. – DhruvPathak Oct 21 '11 at 09:58
0

you have to use strip_tags($str); if you want remove only html tags.. single quote or double quote will remain... but the problem in your case is ...you are putting lots of white space with your strings so you can perfectly use use strip_tags($str);

Shevliaskovic
  • 1,562
  • 4
  • 26
  • 43
zulqer
  • 1
-1

Putting so much HTML codes into the mysql table seems an ugly method to me, it is needed if you are adding a post but if you are saving a page which you may repopulate you may consider another way.

this is my method doing this:

  1. Clear any html code
  2. Put useful data into array (serialize array)
  3. Save array into database
  4. Repopulate array when the page is called (unserialize array)

This saved me to put <1kb data instead of 125kb

This is a good way if you are using templating like systems.

Sinan Eldem
  • 5,564
  • 3
  • 36
  • 37