tags:

views:

22

answers:

2

My homepage pulls in content from my MySQL database to create a blog. I've got it so that it only displays an extract from the posts. For some reason it displays HTML tags as well rather than formatting it using the tags (See picture below). Any help is appreciated.

Homepage:

<html>
    <head>
        <title>Ultan Casey | Homepage</title>
        <link rel="stylesheet" href="css/style.css" type="text/css" />
    </head>
    <body>
         <div class="wrapper">
             <div id="upperbar">
             <a href="#">Home</a>
             <a href="#">About Me</a>
             <a href="#">Contact Me</a>
             <a href="http://www.twitter.com/UltanKC"&gt;Twitter&lt;/a&gt;
         <form id="search-form" action="/search" method="get">
             <input type="text" id="textarea" size="33" name="q" value=""/>
             <input type="submit" id="submit" value="Search"/>
         </form>
             </div>
             <div id="banner">
             <img src="images/banner.jpg">
             </div>
             <div class="sidebar"></div>
             <div class="posts">
             <?php
             mysql_connect ('localhost', 'root', 'root') ;
             mysql_select_db ('tmlblog');

             $sql = "SELECT * FROM php_blog ORDER BY timestamp DESC LIMIT 5";

             $result = mysql_query($sql) or print ("Can't select entries from table php_blog.<br />" . $sql . "<br />" . mysql_error());

             while($row = mysql_fetch_array($result)) {

                 $date = date("l F d Y", $row['timestamp']);

                 $title = stripslashes($row['title']);
                 $entry = stripslashes($row['entry']);
                 $id = $row['id'];

                 ?>
                  <?php echo "<p id='title'><strong><a href=\"post.php?id=". $id . "\">" . $title . "</a></strong></p>"; ?><br />

                        <div class="post-thumb"><img src="thumbs/<?php echo $id ?>.png"></div>
                        <?php echo htmlspecialchars(substr($entry, 0, 1050)) ?>...   
                        <br>          

                        <hr><br />
                        Posted on <?php echo $date; ?>
                        </p>
                        </div>

                                    </div>


                            </p 


                            <?php
                        }
                        ?>
                       </div> 
             </div>

         </div>
    </body>
</html>

Image: alt text

+1  A: 

You're passing your post through htmlspecialchars, which encodes < as &lt; and > as &gt;, among other things. This means they display as < and > instead of being parsed as html tags.

The whole point of htmlspecialchars is to produce text that's inert in HTML... to make it display as-is.

A better way to do this is to NOT store <br /> (or any other html) in your post. Instead, use regular line breaks, and echo nl2br(htmlspecialchars($text)) into your page.

If you absolutely need to allow html, you might consider something like HTML Purifier to handle escaping nasty stuff, in which case you'd skip the htmlspecialchars call. Just beware: It's not a good idea to write your own filter to stop malicious code when displaying user-supplied HTML.

grossvogel
How would I got about mending the problem? What should I change htmlspecialchars to?
ThatMacLad
Edited my answer to include a recommendation.
grossvogel
When I use your method it does not display the extract of the post. Any other recommendations?
ThatMacLad
you mean it displays the whole post or it displays nothing?in your case it'd be `nl2br(htmlspecialchars(substr($entry, 0, 1050)))`
grossvogel
It displays the whole post on the homepage. I'd rather limit it to a certain amount of characters so that visitors have to head over to the post page.
ThatMacLad
ok, see my edited comment. you just have to combine my suggestion with the `substr` call you already had in there.
grossvogel
That php that you provided me with "nl2br(htmlspecialchars(substr($entry, 0, 1050)))" limits the entry and adds in the formatting but still displays the HTML.
ThatMacLad
You have to take the html *OUT* of your post. It should just be newlines, which'll get translated to <br /> by the call to `nl2br`. That's the 3rd paragraph of my initial answer, and it's crucial.
grossvogel
A: 

echo substr($entry, 0, 1050)

Gary