-2

I am wondering how to echo data stored in a database as rich text. I can put the data in the database, but it stores it as code. I want it to echo as formatted text using PHP. For example, if one of my users inputs the chemical formula CO2 with the 2 subscripted, it will be stored in the MySQL database as the code:

     CO<sub>2</sub>

I don't want this code to be echoed. Instead I want the formatted text "CO2" to be echoed. Is this possible and if so how? I would like all the rich text markup to be echoed instead as actual formatted text rather than code.

Kara
  • 6,115
  • 16
  • 50
  • 57
brett
  • 19
  • 6
  • 1
    Simply asking PHP to `echo` the contents of the database should achieve exactly what you want. It sounds like you're running the value retrieved from the database through an escaping function, like `htmlentities()`? However, you absolutely must ensure that any data you output without escaping is *clean*—if you store arbitrary user-provided data in that table, you could be vulnerable to XSS attacks. – eggyal Jan 08 '16 at 17:58
  • This is how I'm echoing: while($row = $stmt->fetch(PDO::FETCH_ASSOC)) { echo $row['Question'].'|'.$row['AnswerA'].'|'.$row['AnswerB'].'|'."bl3nq".$row['AnswerC'].'|'."bl3nq".$row['AnswerD'].'|'."bl3nq".$row['AnswerE'].'|'.$row['rightanswer'].'|'.$row['scrambleanswers'].'|'."noimg".$row['image'].'|'."bl3nq".$row['feedback'].'|'."bl3nq".$row['imagesource'].'|'; } I don't think I'm using any unusual escape function. Does PDO do this automatically, perhaps? – brett Jan 08 '16 at 18:11
  • No, PDO doesn't escape automatically. Are you sure the data is stored in the database unescaped? Perhaps you escaped it prior to insertion? – eggyal Jan 08 '16 at 18:16
  • If I am storing in the MySQL database as VARCHAR, would this cause the problem? Do I need to change to TEXT perhaps? – brett Jan 08 '16 at 18:19
  • No, that would not make any difference. – eggyal Jan 08 '16 at 18:21
  • I am not sure if it is escaping prior to insertion. How would I be able to tell? It is inserted in the database as code. For example: CO2 – brett Jan 08 '16 at 18:24
  • Are you *sure*? How have you verified that? – eggyal Jan 08 '16 at 18:26
  • I looked in phpmyadmin and this is what is visible there. – brett Jan 08 '16 at 23:02
  • I don't know whether phpMyAdmin escapes data before returning it; if it doesn't, then you'd see `CO2` even though the database contains `CO<sub>2</sub>` (which it probably does, given that CKEditor escapes HTML by default—see [my other comment, below](https://stackoverflow.com/questions/34683173/php-echo-rich-text-from-code-in-a-mysql-database?noredirect=1#comment57114342_34683355)). – eggyal Jan 08 '16 at 23:14

2 Answers2

0

It turns out that the PHP script is echoing the text correctly, but that my user front-end (an HTML5/javascript application) is then taking the echoed formatted text and writing it as code. So, in short, the echoing is working in php. Now I just need to figure out how to cause my front-end application to show the text as rich text, not code.

Kara
  • 6,115
  • 16
  • 50
  • 57
brett
  • 19
  • 6
-1

Before insert in your database use htmlspecialchars($string);

Example:

$string = "CO<sub>2</sub>";
$stringToInsert = htmlspecialchars($string);

After insert the $stringToInsert in your database, you can print into your page like this:

$decodedString = htmlspecialchars_decode($stringToInsert);
echo $decodedString;

I preffer using htmlspecialchars instead of htmlentities for this case.

Pablo Cardozo
  • 103
  • 1
  • 10
  • Hi Pablo, This is being inserted with a plugin: ckeditor so I don't know how to change the way it is entered, but it is entered as code. The problem I am having is that I want it to echo as formatted text, not code. – brett Jan 08 '16 at 18:45
  • @brett: [CKEditor escapes HTML by default](https://stackoverflow.com/questions/12700383/ckeditor-is-escaping-html-elements). – eggyal Jan 08 '16 at 18:53
  • it looks like the echoing is fine when I check the echo, but my html5/javascript application front end is re-writing it as code again. Not sure how to fix this yet. If you have any ideas, that would be great. – brett Jan 08 '16 at 19:04
  • Can you showme what is the data stored in your database? is: CO2 or something like "CO<sub>2</sub>" ? – Pablo Cardozo Jan 08 '16 at 19:20
  • If you have the seccond one you can just use: html_entity_decode() – Pablo Cardozo Jan 08 '16 at 19:21
  • It is storing the first way: CO2 – brett Jan 08 '16 at 22:58
  • Oh, then you should just echo without any special function. But, where are you trying to echo this string? I mean, inside of a rich text editor or something like that? – Pablo Cardozo Jan 09 '16 at 01:02