Need help outputting HTML with Nested PHP

[MasterACE14]

well if it's only you adding the articles to the database, then you could(although I don't recommend) forget about using mysqli_real_escape_string().

So you are saying that if I don't encode and decode my HTML tags, that they won't work when I echo the field?

when you 'Add' an article to the database you use htmlentities() on it.

Then when you 'Echo' that article from the database you use html_entity_decode() on it.

 

example:

 

add:

$article = htmlentities($_POST['body']);
$q = mysqli_query("INSERT INTO `articles` (body) VALUES ('".$article."')");

 

echo:

$q = mysqli_query("SELECT `body` FROM `articles`");
while($row = mysqli_fetch_assoc($q)) {
   echo html_entity_decode($row['body']);
}

[doubledee]

You never want to have htmlentities-encoded strings stored in your database. What happens when you want to generate a CSV or PDF, or anything which isn't HTML?

 

Keep the data clean, and only escape for the specific context of the moment.

 

From this link...

 

http://stackoverflow.com/questions/2077576/php-mysql-when-exactly-to-use-htmlentities

 

 

Debbie

 

[MasterACE14]

only escape for the specific context of the moment.

You're storing a HTML page in the database, in this case, this is the way in which you can achieve what you want to.

 

Unless you're planning on making a PDF or CSV file out of your article. Then this is fine.

[doubledee]

Can you explain this code and how you used single and double quotes and epriods?!

 

VALUES ('".$article."')");

 

Thanks,

 

 

Debbie

 

[phpSensei]

Inserting pure HTML code can be a real security issue DoubleDee, I suggest using BBCODES instead. Its not that Mysql doesn't like holding data with Single/Double Quotes, its during the Query that it can be a problem since it breaks the sql, which leads to Mysql Injections, which is why we use mysql_real_escape_string. If you properly escape your data, you don't need StripSlashes...

 

Also if your site is running UTF-8, then make sure your fields are tf8_unicode collate and htmlspecialchars for the value which supports an option called charset

[doubledee]

Inserting pure HTML code can be a real security issue DoubleDee, I suggest using BBCODES instead. Its not that Mysql doesn't like holding data with Single/Double Quotes, its during the Query that it can be a problem since it breaks the sql, which leads to Mysql Injections, which is why we use mysql_real_escape_string.

 

I can't trust my own articles being input by me?

 

I just need a way for *me* to input my marked up articles into my database.

 

It's hard to believe that most online publications (e.g. NY Times) don't just use HTML.

 

 

If you properly escape your data, you don't need StripSlashes...

 

mysqli_real_escape_string will add a backslash (\) before every quote, right?  So without removing that escape character before I display the HTML/Text stored in my database, I would get output like...

 

Mom\'s cookies are the best ever.  (Although gram\'s are pretty good too?!)

 

 

Also if your site is running UTF-8, then make sure your fields are tf8_unicode collate and htmlspecialchars for the value which supports an option called charset

 

I'm not following you...

 

Here is what my table says in phpMyAdmin...

 

Row Statistics Statements 	Value
Format 	dynamic
Collation 	latin1_swedish_ci

 

 

Debbie

 

 

[phpSensei]

1. I see, I was taken under the impression that users are posting the articles.

2. I could have sworn I read someone mentioning Addslashes and Stripslashes, when displaying it you use stripslashes yes, but since your using Mysqli I presume

 

take a look here:

 

http://us.php.net/mysqli_prepare

 

 

4. I am saying if you are using utf-8 characters in your articles, take a look at the utf-8 sampler.

[doubledee]

I am building a form so that ONLY "I" can enter articles into my database.

 

1. I see, I was taken under the impression that users are posting the articles.

2. I could have sworn I read someone mentioning Addslashes and Stripslashes, when displaying it you use stripslashes yes, but since your using Mysqli I presume

 

take a look here:

 

http://us.php.net/mysqli_prepare

 

 

4. I am saying if you are using utf-8 characters in your articles, take a look at the utf-8 sampler.

 

If I use Prepared Statements then I shouldn't have to worry about escaping single and double quotes, right??

 

And if I do NOT use Prepared Statements, but INSTEAD use mysqli_real_escape_string, then...

 

1.) Don't I have to use string slashes to get rid of the escape characters that are added above?

 

2.) Do I need to use htmlentities or htmlspecialchars??  (I say "No.")

 

 

 

Debbie

 

 

[xyph]

Wow, that was hard to read through

 

Use EITHER mysqli_real_escape_string() or prepare statements, not both. Which one you choose is entirely up to you. Beyond being a security measure, there's lots of markup than can break a query, and using one of those options prevents that.

 

DON'T use stripslashes()/htmlentities() etc. The slashes added by those functions SHOULD NOT carry over to your database. htmlentities() should only be used if you're worried about XSS attacks, and even then, you should use htmlspecialchars() because htmlentities() does a lot of redundant changes.

 

If you wanted to restate your original issue, I'd be glad to help further. My concept of what you wanted was slightly warped as I read through the thread.

[doubledee]

If you wanted to restate your original issue, I'd be glad to help further. My concept of what you wanted was slightly warped as I read through the thread.

 

Yes, what should have been simple turned into chaos?!

 

Let me try again..

 

- My website has articles that I create from scratch

- I write them in Open Office Write (e.g. "Postage Meters can save your company money!"

- Then paste the text into Netbeans and add HTML tags (e.g. "<p>Postage Meters can save your company money!</p>")

- And save each article as "some_article.php"

 

- I now want all of these articles in MySQL

- But I want to copy and paste the marked up article text and just place it into a field called "body"

- So <p>Postage Meters can save your company money!</p> would be INSERTED into the "body" field in the "article" table.

- Also, most articles have all sorts of normal English punctuation like quotes (e.g. "Debbie's Mother's Sister's name is Debbie too!!")

 

So my questions were...

 

1.) How do I handle the HTML tags which surround my article text w.r.t. the Database INSERTs and echoing in PHP??

 

2.) How do I handle single and double quotes in my article text w.r.t. Database INSERTs and echoing in PHP??

 

Hope you follow me better?! 

 

Thanks,

 

 

Debbie

 

 

[xyph]

1 - Should not be an issue, assuming you're using real_escape_string or prepared statements. Keep in mind allowing others to submit HTML code without plans to escape it on output can lead to XSS attacks.

2 - See 1.

 

The only issues I see echo'ing with PHP are if you haven't already converted non-tag < and > to < and >. If you want to convert only certain portions of a string to their HTML entities, you have to start coming up with complex regular expressions that will make assumptions about your markup. You're better off doing this manually, for accuracy's sake. You probably should convert double quotes to " as well, but this is only a serious issue if the quote is within a tag, for example <input type="text" name="something" value=""To be, or not to be"">