I have a problem. In my database I allow users to submit post titles through an input containing html entities and plaintext. As per what I have read, I use mysqli_real_escape_string to escape their post before adding it to the database, and then use htmlentities when the html is being output onto a page. However if the user posts something like
<div>( ͡° ͜ʖ ͡°)</div>
it gets mysqli escaped and stored in the database as
"<div>( ͡° ͜ʖ ͡°)</div>"
if I then use htmlentities on this string when outputting, it will return nothing. This must be something to do with the html entities already in the string, because if I test
<div>plaintext</div>
it works fine. How can I escape the html entities such as < and > within a string already containing encoded entities?
The purpose of htmlentities is to convert special characters into browser-renderable strings. Browsers will render the converted characters, so no re-conversion through htmlentities is required.
(POST)->htmlentities->mysqli_real_escape_string->(stored)->(SELECT)->(display)
It's best pratice to convert to htmlentities before saving to the database and then just outputting it to your page without filtering or processing it. So your ok
Just don't use htmlentities again on the output...
but if you really need to... convert them back using html_entity_decode(); See: http://php.net/manual/fr/function.html-entity-decode.php
then use htmlentities()
but i don't see why you would do that.