how to redisplay html after being escaped for mysql

[Lodius2000]

so I use mysql_real_escape_string() when i put data, that contains html tags from a text area into my db, when I want to display on my webpage I use stripslashes(), but everything has gone all haywire, all the <> and "" and '' have been reduced to entities and so none of the formatting is there anymore, I am at a loss as to how to fix it, right now i have stripslashes(html_entity_decode($row['data']) and things are still all jibberish

 

the worst part is when i am typing in my textarea and I want a hard return (a "

 

" space like the one above) for ease of reading, mysql_real_escape_string() encodes it as \r\n so when strip slashes comes along i am left with rn's all over the place

 

here is an example

 

this

<p>
this
is
<span class="blah"> some </span><span class='blah2'>test
<br />
text.
</p>

 

prints on my web page

rnthisrnisrn some testrn

rntext.rn

 

and the source code looks like

<p>rnthisrnisrn<span class="blah"> some </span><span class='blah2'>testrn<br />rntext.rn</p>

 

and the data in my db looks like this

<p>\r\nthis\r\nis\r\n<span class=\"blah\"> some </span><span class=\'blah2\'>test\r\n<br />\r\ntext.\r\n</p>

 

Help!

 

thank you

[Guest]

when you pull the data out use stripslashes to remove all the \

 

http://us2.php.net/stripslashes

[Rowno]

You could use nl2br(htmlentities($str, ENT_QUOTES)) before you submit the data to the database. This will first html encode all characters (including quotes, that's what ENT_QUOTES does) and then adds <br /> tags to all spaces.

 

Then all you have to do when you retrieve the data is use html_entity_decode($str, ENT_QUOTES) on it.

 

This way you won't have any problems with \'s and \r\n's.

 

Be careful of html injection though since any html someone enters will be shown.

[dannyb785]

^^ did you even read his question? He said that he uses stripslashesand it messes things up.

 

I dont know how the text is when you're inserting it in the database, but it needs to be like this... don't do anything do it(except addslashes) when inserting. Don't give it entities or anything. When displaying the data, do stuff to it just before outputting it.

 

Like for example:

while($row = mysql_fetch_assoc($result))
{
  extract($row);
  $text = htmlentities($page_data);
  echo $text;
}

 

And if you're putting the data into a textarea or input field, you don't need to do anything to it

while($row = mysql_fetch_assoc($result))
{
  extract($row);
  echo "<textarea rows=5 cols=5 name=whatever>$text</textarea>";
}

 

I never use stripslashes.. ever. If you need to use them, then you've been adding slashes when you don't need to.

 

I think you may have magic_quotes on. When that's on, it adds slashes automatically. And then if you try to remove slashes, it will find "\n" and make it "n"

[Rowno]

^^ did you even read his question? He said that he uses stripslashesand it messes things up.

I hope that wasn't aimed at me but at jeff8j

[dannyb785]

Yep, there are 2 arrows 

[Rowno]

lol