tags:

views:

22

answers:

2
+1  Q: 

Displaying unnecessary HTML when showing content from MySQL database.

My homepage pulls in content from my MySQL database to create a blog. I've got it so that it only displays an extract from the posts. For some reason it displays HTML tags as well rather than formatting it using the tags (See picture below). Any help is appreciated.

Homepage:

<html>
    <head>
        <title>Ultan Casey | Homepage</title>
        <link rel="stylesheet" href="css/style.css" type="text/css" />
    </head>
    <body>
         <div class="wrapper">
             <div id="upperbar">
             <a href="#">Home</a>
             <a href="#">About Me</a>
             <a href="#">Contact Me</a>
             <a href="http://www.twitter.com/UltanKC"&gt;Twitter&lt;/a&gt;
         <form id="search-form" action="/search" method="get">
             <input type="text" id="textarea" size="33" name="q" value=""/>
             <input type="submit" id="submit" value="Search"/>
         </form>
             </div>
             <div id="banner">
             <img src="images/banner.jpg">
             </div>
             <div class="sidebar"></div>
             <div class="posts">
             <?php
             mysql_connect ('localhost', 'root', 'root') ;
             mysql_select_db ('tmlblog');

             $sql = "SELECT * FROM php_blog ORDER BY timestamp DESC LIMIT 5";

             $result = mysql_query($sql) or print ("Can't select entries from table php_blog.<br />" . $sql . "<br />" . mysql_error());

             while($row = mysql_fetch_array($result)) {

                 $date = date("l F d Y", $row['timestamp']);

                 $title = stripslashes($row['title']);
                 $entry = stripslashes($row['entry']);
                 $id = $row['id'];

                 ?>
                  <?php echo "<p id='title'><strong><a href=\"post.php?id=". $id . "\">" . $title . "</a></strong></p>"; ?><br />

                        <div class="post-thumb"><img src="thumbs/<?php echo $id ?>.png"></div>
                        <?php echo htmlspecialchars(substr($entry, 0, 1050)) ?>...   
                        <br>          

                        <hr><br />
                        Posted on <?php echo $date; ?>
                        </p>
                        </div>

                                    </div>


                            </p 


                            <?php
                        }
                        ?>
                       </div> 
             </div>

         </div>
    </body>
</html>

Image: alt text

+1  A: 

You're passing your post through htmlspecialchars, which encodes < as &lt; and > as &gt;, among other things. This means they display as < and > instead of being parsed as html tags.

The whole point of htmlspecialchars is to produce text that's inert in HTML... to make it display as-is.

A better way to do this is to NOT store <br /> (or any other html) in your post. Instead, use regular line breaks, and echo nl2br(htmlspecialchars($text)) into your page.

If you absolutely need to allow html, you might consider something like HTML Purifier to handle escaping nasty stuff, in which case you'd skip the htmlspecialchars call. Just beware: It's not a good idea to write your own filter to stop malicious code when displaying user-supplied HTML.

grossvogel  2010-06-12 15:50:36
How would I got about mending the problem? What should I change htmlspecialchars to?
ThatMacLad  2010-06-12 15:51:59
Edited my answer to include a recommendation.
grossvogel  2010-06-12 15:55:06
When I use your method it does not display the extract of the post. Any other recommendations?
ThatMacLad  2010-06-12 15:58:41
you mean it displays the whole post or it displays nothing?in your case it'd be `nl2br(htmlspecialchars(substr($entry, 0, 1050)))`
grossvogel  2010-06-12 15:59:54
It displays the whole post on the homepage. I'd rather limit it to a certain amount of characters so that visitors have to head over to the post page.
ThatMacLad  2010-06-12 16:01:39
ok, see my edited comment. you just have to combine my suggestion with the `substr` call you already had in there.
grossvogel  2010-06-12 16:02:21
That php that you provided me with "nl2br(htmlspecialchars(substr($entry, 0, 1050)))" limits the entry and adds in the formatting but still displays the HTML.
ThatMacLad  2010-06-12 16:03:15
You have to take the html *OUT* of your post. It should just be newlines, which'll get translated to <br /> by the call to `nl2br`. That's the 3rd paragraph of my initial answer, and it's crucial.
grossvogel  2010-06-12 16:06:36
A: 

echo substr($entry, 0, 1050)

Gary  2010-06-12 15:54:41

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?