We help IT Professionals succeed at work.

htmlentities/stripslashes - in conjunction with insertion into a field in mysql

willsherwood
willsherwood asked
on
i've gotten confused if i need to convert anything coming from an html input web form
that is being stored directly into a mysql field,
and then being re populated back into the same web form  (it's a member profile form, that allows html tags in their bio)

please advise for the processing and re-display php code

thanks
Comment
Watch Question

Software Architect
Top Expert 2010
Commented:
For the values going into the database I would make sure you use mysql_real_escape_string()

Since you want users to have html tags in their bio's you can't just use htmlentities as it will  print the actual tags rather than render them.

You also have to use html_entity_decode() to get the html tags to render.

So your output would be something like this:
echo html_entity_decode(htmlentities($row['name']));

Something else you might want to look at is HTMLPurifier, to help protect against XSS attacks
http://htmlpurifier.org/


Author

Commented:
appreciated.  i'm on it...