How come HTML pulled from MySQL comes out as HTML source when using PHP?

by on September 9, 2009

Q: I am storing HTML formatted text into MySQL. When fetching the data from MySQL (using PHP) the information displays all the text including the HTML tags. Is there a function that would allow me to display the information per the “HTML” format?

2 Responses to “How come HTML pulled from MySQL comes out as HTML source when using PHP?”
    Picked as best answer

    You need to make sure you are very careful when it comes to allowing HTML in your database and not sanitizing it going in or coming out. Many pieces of software, like vBulletin for example, use codes like [b], [i], etc instead of the actual HTML codes. Then what they do is they sanitize the code on the way into the database and on the way out to make sure that people do not put bad things in there that could end up leading to cross site scripting exploits and what not.

    They would then parse the result as they are displaying it and convert those [b], [i], [url], etc tags into actual html tags. This is something you should very much so consider if you allow users to enter content.

    WordPress handles it a little differently in that they only allow certain tags for comments, it is a little different for posts I believe. So they do their checks when people post a comment or a post and make sure to remove anything that might be bad. The difference here is that some things can get by that probably should not.

    In your particular case I suspect that htmlentities is being called and what that does is it turns <B> into &ltB&gt. Again this is usually done for security reasons so if you want to make this stop you either need to remove this or you need to call html_entities_decode to convert the data back into HTML before you display it.

    I don’t think I can stress this enough that you have to be very careful. Even if you are the only one that has access to this area it is possible your site could get hacked and people could enter malicious code into your database and it could easily harm your visitors if you do not take the proper security precautions. This does not mean just setting up the correct security right now but it means monitoring it over the life of the code as well.


    Thank you it was very helpful