-2

I am wondering how to echo data stored in a database as rich text. I can put the data in the database, but it stores it as code. I want it to echo as formatted text using PHP. For example, if one of my users inputs the chemical formula CO2 with the 2 subscripted, it will be stored in the MySQL database as the code:

     CO<sub>2</sub>

I don't want this code to be echoed. Instead I want the formatted text "CO2" to be echoed. Is this possible and if so how? I would like all the rich text markup to be echoed instead as actual formatted text rather than code.

9
  • 1
    Simply asking PHP to echo the contents of the database should achieve exactly what you want. It sounds like you're running the value retrieved from the database through an escaping function, like htmlentities()? However, you absolutely must ensure that any data you output without escaping is *clean*—if you store arbitrary user-provided data in that table, you could be vulnerable to XSS attacks. Commented Jan 8, 2016 at 17:58
  • This is how I'm echoing: while($row = $stmt->fetch(PDO::FETCH_ASSOC)) { echo $row['Question'].'|'.$row['AnswerA'].'|'.$row['AnswerB'].'|'."bl3nq".$row['AnswerC'].'|'."bl3nq".$row['AnswerD'].'|'."bl3nq".$row['AnswerE'].'|'.$row['rightanswer'].'|'.$row['scrambleanswers'].'|'."noimg".$row['image'].'|'."bl3nq".$row['feedback'].'|'."bl3nq".$row['imagesource'].'|'; } I don't think I'm using any unusual escape function. Does PDO do this automatically, perhaps? Commented Jan 8, 2016 at 18:11
  • No, PDO doesn't escape automatically. Are you sure the data is stored in the database unescaped? Perhaps you escaped it prior to insertion? Commented Jan 8, 2016 at 18:16
  • If I am storing in the MySQL database as VARCHAR, would this cause the problem? Do I need to change to TEXT perhaps? Commented Jan 8, 2016 at 18:19
  • No, that would not make any difference. Commented Jan 8, 2016 at 18:21

2 Answers 2

0

It turns out that the PHP script is echoing the text correctly, but that my user front-end (an HTML5/javascript application) is then taking the echoed formatted text and writing it as code. So, in short, the echoing is working in php. Now I just need to figure out how to cause my front-end application to show the text as rich text, not code.

Sign up to request clarification or add additional context in comments.

Comments

-1

Before insert in your database use htmlspecialchars($string);

Example:

$string = "CO<sub>2</sub>";
$stringToInsert = htmlspecialchars($string);

After insert the $stringToInsert in your database, you can print into your page like this:

$decodedString = htmlspecialchars_decode($stringToInsert);
echo $decodedString;

I preffer using htmlspecialchars instead of htmlentities for this case.

7 Comments

Hi Pablo, This is being inserted with a plugin: ckeditor so I don't know how to change the way it is entered, but it is entered as code. The problem I am having is that I want it to echo as formatted text, not code.
it looks like the echoing is fine when I check the echo, but my html5/javascript application front end is re-writing it as code again. Not sure how to fix this yet. If you have any ideas, that would be great.
Can you showme what is the data stored in your database? is: CO<sub>2</sub> or something like "CO&lt;sub&gt;2&lt;/sub&gt;" ?
If you have the seccond one you can just use: html_entity_decode()
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.