0

I'm stuck with this one...

I insert some data into a database table which comes from a form. Sometimes, this data contains html, so I do 

$note = htmlentities(mysqli_real_escape_string($this->db, $_POST['note']));

I then store the $note in my database. When retrieving my notes, I check whether there is html code in it, and if there is, I want to have it highlighted using highlight_string(). That part works like a charm. Now here's the problem:

I am displaying the highlighted string in a div container, but it's overflowing because the white spaces are being converted to  . I'm trying to remove those non-breaking spaces and replace them with a simple space so the highlighted string will be contained in the div. I have tried this so far:

$note = html_entity_decode($note);
$note = highlight_string($note);
$note = preg_replace('/ /', '', $note);

I have also tried $note = str_replace(' ', ' ', $note);, to no avail.

Any help is very much appreciated! Thanks :)

Improve this question
7
  • Send TRUE as second parameter to highlight_string for it to return the value Commented Aug 29, 2014 at 6:18
  • Try saving your data like this first and then try to see output. See if it works: htmlentities(mysqli_real_escape_string($this->db, base64_encode($_POST['note']))); Commented Aug 29, 2014 at 6:18
  • @RolenKoh Don't throw more junk on the fire. It is entirely unnecessary to base64-encode the data. Commented Aug 29, 2014 at 6:24
  • Oh. No. htmlentities(mysqli_real_escape_string(NO)). Do not use HTML escaping to "protect" database access; use escaping only when applied to the context for which it was applied - in this case that would mean using htmlentities when output as appropriate, and not before. At the very least, use mysqli_real_escape_string (MRES) last prior to building the SQL string. If MRES doesn't make the data safe, then applying HTML escaping won't do any good. But better, don't even use MRES - use parameterized queries. Commented Aug 29, 2014 at 6:27
  • 1
    @chaensel If using MRES (but really, use placeholders) do $insert_this_exactly = MRES(htmlentities($raw_data)). That is, only the result of MRES is guaranteed safe when used as a string literal content in SQL command text. However, I would do MRES($raw_data). Then you have the real data in the database, not some encoded junk that won't add any "security" against SQL injection - and has to be decoded later on! When displaying use echo "<span>" + htmlentities($original_raw_data) + "</span>"; or whatnot. That is, only encode for a specific context when used in that context. Commented Aug 29, 2014 at 6:40

2 Answers 2

Reset to default
2

I think the problem is quite simply that highlight_string() is outputting its result immediately, rather than saving it to $note.

Instead, please try the following:

$note = html_entity_decode($note);
$note = highlight_string($note, true);
$note = str_replace('&nbsp;', ' ', $note);

The difference in my code is that I use highlight_string($note, true) with the second parameter set to true. The docs shed some light about the function's behavior:

mixed highlight_string ( string $str [, bool $return = false ] )

Return
 Set this parameter to TRUE to make this function return the highlighted code.

The regex function you have in your code block might work, but since this is a simple replacement, it will suffice to use str_replace in this case, as you have tried.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you very much @ljacqu! Setting the second parameter of highlight_string() to true worked for me. I also had to add some CSS to override the default <code> layout. I did the following in my CSS file: code { display: inline-block; max-width: 100%; white-space: normal;; }
0

You can try with strip_tags in place of htmlentities

string strip_tags( string $str [, string $allowable_tags ] )

In allowable_tags, you can define the html you want to allow in string. If null it will not allow any html to get apply.

Reference : https://www.php.net/manual/en/function.strip-tags.php

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.