html output on webpage

kevinritt

Hi,
I'm not sure if this is a PHP issue or TinyMCE. I have content that is saved in a database. It gets called using this code:

<?php
         $page = (isset($_GET['page'])) ? $_GET['page'] : "1";
         $sql = "SELECT content FROM pages WHERE id='$page'";
         $result = $conn -> query($sql) or die(mysqli_error());
            if($result) {
            $row = $result->fetch_object();
               echo $row->content;
            }   

     ?>

The problem is when the code is out put on the site. I save the html like this in the database:

<tr>
<td class="header">Name</td>
<td class="header">Title</td>
<td class="header">Email</td>
</tr>

but it ends up looking like this in the database:

<tr>
<td class=\"header\">Name</td>
<td class=\"header\">Title</td>
<td class=\"header\">Email</td>
</tr>

Futhermore, it gets processed like this in TinyMCE when I look in the html:

<tr>
<td class="\&quot;header\&quot;">Name</td>
<td class="\&quot;header\&quot;">Title</td>
<td class="\&quot;header\&quot;">Email</td>
</tr>

Because of this the CSS classes and IDs do not work. Is there something I can do that would remove the extra characters?
I tried:

<?php echo stripslashes($row->content); ?>

but that did not change the output
Here's the current page: http://saugustv.org/index.php?page=contact
and here's the page with the call to the database and the text editor:
http://saugustv.org/indexLiveTest.php?page=2
They use the same CSS but as you can see they don't look the same.
Any help would be appreciated - I'm clueless at this point

NogDog

Best guess is that you have the infamous [man]magic_quotes_gpc[/man] setting turned on. If you are not able or willing to turn it off, then to undo its damage you'll need to do a [man]stripslashes/man to any form data inputs before applying your database-specific escaping mechanism.

function sanitizeInput($value)
{
   if(get_magic_quotes_gpc())
   {
      $value = stripslashes($value);
   }
   return mysql_real_escape_string($value);   

}

You could then use the above sanitizeInput() function where you currently use mysql_real_escape_string(). (If you are using some other database interface, you would replace mysql_real_escape_string() with whatever you are using to escape inputs for use in SQL.)

ixalmida

I personally don't like to have my quotes escaped (makes for difficult reading in MySQL admin), so I like to encode them as HTML instead:

// Store...
mysql_query("INSERT INTO MyTable (my_string) VALUES ('".htmlentities($string, ENT_QUOTES)."')";

// Retrieve...
$string = html_entity_decode($row['my_string']);

...but then I just like to be different. 🙂

NogDog

ixalmida;10926323 wrote:
I personally don't like to have my quotes escaped (makes for difficult reading in MySQL admin), so I like to encode them as HTML instead:
// Store...
mysql_query("INSERT INTO MyTable (my_string) VALUES ('".htmlentities($string, ENT_QUOTES)."')";

// Retrieve...
$string = html_entity_decode($row['my_string']);
...but then I just like to be different. 🙂

The quotes should never end up being escaped in the actual data. When you use a function like mysql_real_escape_string(), it escapes the quotes for use in the SQL, but they do not make it into the actual data. If you are seeing escape characters in the actual data, then it is because you "double escaped" the input, and therefore escaped the escape character.

For example, if magic_quotes_gpc is enabled, then PHP prepends a back-slash to certain characters (including back-slashes, by the way). So if the input is foo 'quote' bar, then the $_POST value would be foo \'quote\' bar. If you then apply mysql_real_escape_string() to that value, you'd end up with foo \\'quote\\' bar, as both the quotes and back-slashes would now be escaped. Then when that double-escaped string is passed to a query, you'd end up with a literal back-slash character in the data (i.e., you'd be back to foo \'quote\' bar).

So long story short, if you turn off magic_quotes_gpc or undo its damage before applying your database-specific escaping mechanism, you should never have back-slashes inserted into your actual data. If you are seeing them, then you are double-escaping and probably need to turn off or negate magic_quotes_gpc (which is now deprecated and will not be available at all in PHP6).

Therefore, you should not need to convert quotes or other characters to HTML character entities. On top of that, doing so now changes the data and makes it HTML-specific, which means you have to account for those entities when sorting the data, searching it, or outputting it to something other than HTML. (And, of course, the data now take up more bytes - maybe not an issue in a TEXT column but it could be a serious problem in s VARCHAR column.)

ixalmida

Eh...I usually don't have to convert it back since it is almost always displayed in HTML. The only reason I have to convert it back is to make it form-friendly for editing. I guess it works either way, but my way makes the most sense to me.

Thankfully, I don't have magic quotes enabled on my current server so I don't have to strip slashes every time a user wants to go back and edit something.

kevinritt

turned off magic_quotes_gpc in the php.ini file:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

but still the page doesn't look right

itaym02

but still the page doesn't look right

What looks wrong?

kevinritt

CSS for content

<?php echo $row->content  ?>

is not working. The CSS for the rest of the site is. For example, the CSS for the contact page table is not working (see links referenced above)