Preserving HTML tags in input

davidjwest · September 7, 2010, 12:15pm

I’ve written a simple form that allows user input and I’ve got the following code that does preserve carriage returns:


<?php
if (isset($_POST['submit']))

	{
	$mysql = array(); // create array of mysql escaped values
	$mysql['text'] = mysql_real_escape_string( $_POST['text'] );

	// This will preserve spacing
	$query="INSERT INTO dl_blog(body) VALUES ('{$mysql['text']}')";	
	mysql_query($query);

	$query="SELECT * FROM dl_blog ORDER BY id DESC LIMIT 1";
	$result = mysql_query( $query );
	
	while( $row = mysql_fetch_array( $result, MYSQL_ASSOC ) ) 
		{
		$html = array(); //create an array of html formated values.
		$html['comment'] = nl2br( stripslashes( htmlentities( $row['body'], ENT_QUOTES, 'UTF-8' ) ) );
		echo "<br />{$html['comment']}<hr />";
		}
	}
?>

The above shows the input for testing purposes - but it doesn’t allow any HTML characters as when they get echoed out I can see them ie <h1> but they don’t actually affect the output.

How can I make it so that the HTML actually “works” when it is output?

Thanks.

(I got some of the above code from searching around the web, I didn’t write it all myself)

davidjwest · September 7, 2010, 12:34pm

Many thanks, that works, I suppose this is what you get for using code you don’t fully understand.

DarthGuido · September 7, 2010, 12:26pm

http://www.php.net/htmlentities

Eliminate htmlentities from your code, and see what happens.
You might need to eliminate stripslashes as well, it depends.