I am importing data into a database to a text field. However when I try to input
<strong> Hi There </strong>
I find it in the table (using php myadmin) as
"<strong> Hi There </strong>"
That displays it on my front webpage as
<strong> Hi There </strong>
Clearly not the desired result.
Any ideas here? I am using a regular text form.
On
Yeah. What's happening here is simple encoding, so that the stored form is safe. Before displaying it on the webpage, pass it through the PHP builtin html_entity_decode().
Note that if this didn't happen, it would be very easy for someone to input their own HTML to a field that shouldn't have HTML (like username) and they could then modify your website.
On
When handling different user inputs that are held in the database or displayed back within your content you should always be aware of xss attacks. Better safe then sorry...
Usernames:
Have a check for minimum & maximum length, no out of the ASCII range & strictly no html or special chars like <>;'"% and trim spaces from the start & end. If outputting to a form always use htmlspecialchars().
Passwords:
Have a check for minimum & maximum length, make securer by having at lease 1 capitol and one alpha char. Always encrypt when saving to database & dont use md5. If outputting to a form always use htmlspecialchars() if not using the type="password" attribute.
Emails: Check that it is a valid email address.
Main Comments,Posts Submission areas: Strip all javascript, html and/or allow user to insert BBcode if needed for images, links, formatting then convert the BBcode to valid html when displaying.
When you are entering the data, it is probably being scrubbed - likely with
htmlspecialchars()orhtmlentities()To decode the tags, use
html_entity_decode()http://php.net/manual/en/function.html-entity-decode.php