Echo'ing HTML

[stevegc]

Hi everyone,

 

First time post for me   I am quite new to PHP so excuse the beginner question but I can't find and answer for it.

 

I have a backend application that allows an admin to update the frontend homepage with a WYSIWYG html editor (Xinha).  I store the html into mysql and retrieve the data for display on the front end homepage.  The problem is the html is not rendering and displaying with the tags as text.

 

When saving the data to the db I use htmlentities($data) and when retrieving I used html_entity_decode($data) before passing it to the template to be rendered.  I am using a simple <?php echo $data ?> to display the data.

 

On the same page I have <?php $testingHTML = "<p>This is some text with a <b>bold</b> word in it</p>" ?> followed down the page by an <?php echo $testingHTML ?> and that renders perfectly.  So I must be doing something wrong?

 

Thank you in advance and I hope that makes sense.

 

Steve

[xyph]

There's no need to call htmlentities or html_entity_decode at all. Take that out, and you're fine.

 

This can be dangerous though. You should only allow trusted users to use this form, to prevent someone from injecting malicious JavaScript or HTML into your page.

 

If you don't trust the people entering data into the form, then use an implementation of BBCode or something similar.

[stevegc]

There's no need to call htmlentities or html_entity_decode at all. Take that out, and you're fine.

 

This can be dangerous though. You should only allow trusted users to use this form, to prevent someone from injecting malicious JavaScript or HTML into your page.

 

If you don't trust the people entering data into the form, then use an implementation of BBCode or something similar.

 

Thanks for the reply xyph.  I tried it without the htmlentities and html_entities_decode but got the same results.

The only people with access to this will actually be my parents so it should be quite safe in terms of malicious code

[xyph]

I'd need to see the related code then.

 

Are you sure the raw html is being inserted into the database?

[stevegc]

Yeah I have checked that.  Here is exactly what is in the DB.

 

<p> <strong>Here is some bold text</strong></p>

  <p><strong></strong>Here is some normal text about nothing just to fill in space and test things out<br /> </p>

 

[attachment deleted by admin]

[xyph]

I'd prefer if you posted the relevant code rather than attach the files

[stevegc]

Ok Sorry about that.  Just thought that gave a better perspective.

 

The methods for inserting and retrieving data

public function updateHomePageData($data) {

	$sql = "update general_data set data_value = '" . $data . "' where data_key = 'HMPGD'"; 
	//htmlspecialchars($data) . "' where data_key = 'HMPGD'";
	$con = Doctrine_Manager::getInstance()->connection();
	$con->execute($sql);
}

public function getHomePageData() {
	$homePageData = "";

	$sql = "select * from general_data where data_key = 'HMPGD'";
	$con = Doctrine_Manager::getInstance()->connection();
	$resultSet = $con->execute($sql);

	foreach ($resultSet as $result) {
		$homePageData = $result['data_value'];
	}
	return $homePageData;
}

 

The function that passes data to the template

        public function executeShow(sfWebRequest $request)
{
	$generalData = new GeneralData(); 
	$homePageData = "";
	$homePageData = $generalData->getHomePageData();
	$this->homePageData = $homePageData;
}

 

the template

<div>
<?php echo $homePageData ?>
</div>

<?php 
$testingHTML = "<p>This is some <b>bold</b> text</p>";
?>

<?php echo $testingHTML ?>

 

 

[stevegc]

bump, anyone got a guess?  I can't figure it out :-(

[Pikachu2000]

What does the html in question show to be when you do a View ---> Source?