View Full Version : Html escaping problem

11-23-2010, 09:25 PM
Hi all,

I want to create my personal blog and to be able to put code in pre tags. I have created some functions for converting content for and from database.
Basicaly the idea is tha same as

this (http://www.thatsquality.com/articles/how-to-match-and-replace-content-between-two-html-tags-using-regular-expressions)

but this is not working in my pc. The created functions work on localhost(win7) but didn't work in my linux box(debian server)

I use:

function txt2db($s){
//$s = str_replace("'", "\'", $s ); // i don't need this since mysql auto escape single quotes (can't find and turn it off)
return $s;

function db2txt($s){
// $s = str_replace("\'", "'", $s ); // alse not needed
// $s = str_replace("&lt;pre&gt;", "<pre>", $s );
// $s = str_replace("&lt;/pre&gt;", "</pre>", $s );
$s = preg_replace_callback(
'return "<pre>".htmlentities($matches[1])."</pre>";'

$s = nl2br($s);
return $s;

I think it is clear from the function names waht they do.

The problem is that when save & lt; on database it appear < on my edit window and when I edit once an article all entities are converted in tags.

Here is the result

11-23-2010, 09:33 PM
Uh... mysql definitely DOES NOT auto escape anything. Sounds like you have magic quotes turned on, which needs to be turned off immediately and look into mysql_real_escape_string.

As for your specific problem, I'll test it out. I use htmlentities just find on my server no problem. Can you show the code you use to insert the data into the server?

11-23-2010, 09:41 PM
Here it is

if($_POST[cmd_post] == "post" ){
if ($_POST[cbo_load_post] == 0){
$sql_post = 'insert into cms_post_content(type, time, post_title, post_intro, post_content)
values (
//echo $sql_post;
$sql_post = 'update cms_post_content set
type = '.$_POST[cbo_type].',
time = '.time().',
post_title = \''.(web::txt2db($_POST[txt_title])).'\',
post_intro = \''.(web::txt2db($_POST[txt_intro])).'\',
post_content = \''.(web::txt2db($_POST[txt_content])).'\'
where sys_id = '.$_POST[cbo_load_post];
//echo $sql_post;