•  31-05-2022
  •  | 
  •  

Question

I'm storing HTML and text data in my database table in its raw form - however I am having a slight problem in getting it to output correctly. Here is some sample data stored in the table AS IS:

<p>Professional Freelance PHP & MySQL developer based in Manchester.
<br />Providing an unbeatable service at a competitive price.</p>

To output this data I do:

echo $row['details'];

And this outputs the data correctly, however when I do a W3C validator check it says:

character "&" is the first character of a delimiter but occurred as data

So I tried using htmlemtities and htmlspecialchars but this just causes the HMTL tags to output on the page.

What is the correct way of doing this?

Was it helpful?

Solution

Use &amp; instead of &.

OTHER TIPS

What you want to do is use the php function htmlentities()...
It will convert your input into html entities, and then when it is outputted it will be interpreted as HTML and outputted as the result of that HTML...
For example:

$mything = "<b>BOLD & BOLD</b>";
//normally would throw an error if not converted...
//lets convert!!
$mynewthing = htmlentities($mything);

Now, just insert $mynewthing to your database!!

htmlentities is basically as superset of htmlspecialchars, and htmlspecialchars replaces also < and >.

Actually, what you are trying to do is to fix invalid HTML code, and I think this needs an ad-hoc solution:

$row['details'] = preg_replace("/&(?![#0-9a-z]+;)/i", "&amp;", $row['details']);

This is not a perfect solution, since it will fail for strings like: someone&son; (with a trailing ;), but at least it won't break existing HTML entities.

However, if you have decision power over how the data is stored, please enforce that the HTML code stored in the database is correct.

In my Projects I use XSLT Parser, so i had to change &nbsp; to &#160; (e.g.). But this is the safety way i found...

here is my code

$html = trim(addslashes(htmlspecialchars(
        html_entity_decode($_POST['html'], ENT_QUOTES, 'UTF-8'),
        ENT_QUOTES, 'UTF-8'
    )));

And when you read from DB, don't forget to use stripslashes();

$html = stripslashes($mysq_row['html']);
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top