SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot
    Join Date
    Jan 2004
    Location
    USA
    Posts
    125
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    html tags changed to < and > when saved to database...

    I have a language file that has the following arrays:

    PHP Code:
    $lang['signup_gender_values'] = array(
        
    'M' => '<img class="absmiddle" src="/gfx/icon=male.png" width="16" height="16" alt="Male" border="0" />',
        
    'F' => '<img class="absmiddle" src="/gfx/icon=female.png" width="16" height="16" alt="Female" border="0" />'
        
    );

    $lang['signup_gender_icons'] = array(
        
    'M' => '<img class="absmiddle" src="/gfx/icon=male.png" width="16" height="16" alt="Male" border="0" />',
        
    'F' => '<img class="absmiddle" src="/gfx/icon=female.png" width="16" height="16" alt="Female" border="0" />'
        
    );

    $lang['signup_gender_look'] = array(
        
    'M' => '<img class="absmiddle" src="/gfx/icon=male.png" width="16" height="16" alt="Male" border="0" />',
        
    'F' => '<img class="absmiddle" src="/gfx/icon=female.png" width="16" height="16" alt="Female" border="0" />'
        
    ); 
    When this language file is uploaded, you must go into the admin panel to load the language file before the changes will reflect on the site. Looking at the attached screenshot, can someone tell me why the html tags are removed in the db?

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,494
    Mentioned
    161 Post(s)
    Tagged
    4 Thread(s)
    No.
    Post the code that receives the uploaded file and saves it in the database.

    Btw, this looks more like a PHP question (or whatever language you use).

  3. #3
    SitePoint Wizard bronze trophy Kailash Badu's Avatar
    Join Date
    Nov 2005
    Posts
    2,560
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When the data is uploaded to the server, the HTML characters are being converted to HTML entities. It's likely that either the function htmlspecialchars() or htmlentities() is being applied on the data before being inserted into the database. Find the part of the code that is responsible for updating the database and remove those functions.

  4. #4
    SitePoint Zealot
    Join Date
    Jan 2004
    Location
    USA
    Posts
    125
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I found it. What is the likelihood that the following...

    $osDB->query($sql, array(LANGUAGE_TABLE, $_REQUEST['langname'], $key, $subkey, htmlspecialchars($descr)));

    Can be changed to...

    $osDB->query($sql, array(LANGUAGE_TABLE, $_REQUEST['langname'], $key, $subkey, $descr));

    ...without repercussions? I realize this may be able to ascertain given the small snippet of code compared to the remainder of the application but, in general, are their considerations or reasons why htmlspecialchars is a necessity?

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,785
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Those functions are intended for use when extracting data FROM a database for display on a web page where you know the data is not supposed to contain HTML. It serves no useful purpose when inserting data into a database (makes the data bigger than necessary) and breaks the processing if used for extracting fields from a database that are supposed to contain HTML.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    SitePoint Wizard bronze trophy Kailash Badu's Avatar
    Join Date
    Nov 2005
    Posts
    2,560
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The first thing you need to do is decide whether your application requires that value to have html or not. Often your application needs to accept nothing but plain text from the users . In those cases you can filter out these tags with strip_tags() or other libraries.

    From your first post, however, it’s apparent that you actually need to accept HTML tags. So I think you can just insert data into the database without applying htmlspecialchar() on them.

    I also assume that only an admin will be uploading the language files so it should be relatively safe to insert them into the database without running any kind of input sanitization. Had the data been coming from common users whose intention are not always the best, it would have been sensible to sanitize the user input with libraries like HTML Purifier before it goes into the database.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •