{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 放我归山 的问题《Saving and Displaying HTML and special characters》','https://www.manongdao.com/q-996069.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
The title basically sums it up. I built a small blog but I cant even post links in my articles! What can I do? I've tried htmlentities(), htmlspecialchars(), real_escape_string() and basically every form of escape there is. I am using PHP 5.3 with MySQL 5.1
Here is my code to save the blog to the db:
function check_input($data, $problem='')
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlentities($data);
if ($problem && strlen($data) == 0)
{
die($problem);
}
return $data;
}
if(isset($_POST['addBlog'])) { //form submitted?
// get form values, escape them and apply the check_input function
$title = $link->real_escape_string($_POST['title']);
$category = $link->real_escape_string(check_input($_POST['category'], "You must choose a category."));
$content = $link->real_escape_string(check_input($_POST['blogContent'], "You can't publish a blog with no blog... dumbass."));
$date = $link->real_escape_string(check_input($_POST['pub_date'], "What day is it foo?"));
// our sql query
$sql = $link->prepare("INSERT INTO pub_blogs (title, date, category, content) VALUES (?, ?, ?, ?)");
$sql->bind_param('ssss', $title, $date, $category, $content);
//save the blog
#mysqli_query($link, $sql) or die("Error in Query: " . mysqli_error($link));
$sql->execute();
if (!$sql)
{
print "<p> Your Blog Was NOT Saved. </p>";
}
}
and here is my code to display the blog:
// Grab the data from our people table
$result = mysqli_query($link, "SELECT * FROM pub_blogs ORDER BY date DESC") or die ("Could not access DB: " . mysqli_error($link));
while ($row = mysqli_fetch_assoc($result))
{
$id = $link->real_escape_string($row['id']);
$title = $link->real_escape_string($row['title']);
$date = $link->real_escape_string($row['date']);
$category = $link->real_escape_string($row['category']);
$content = $link->real_escape_string($row['content']);
$id = stripslashes($id);
$title = stripslashes($title);
$date = stripslashes($date);
$category = stripslashes($category);
$content = stripslashes($content);
echo "<div class='blog_entry_container'>";
echo "<span class='entry_date'><a href='#'>" .$date. "</a> - </span><span class='blog_title'><a class='blogTitleLink' href='blog-view.php?id=" .$id. "'>" .$title. "</a></span>";
echo "<p>" .$content. "</p>";
echo "</div>";
}
While encoding characters is a good thing, one must make sure not to over-encode.
Only encode what /needs/ encoded at that time. Don't encode the HTML before putting it into your database. You may want to print things out later, or you may want to run searches against it. Use the proper escape sequences for SQL (or, better yet, use
PDO).Only when you are sending things to the browser should you escape the HTML, and then you need to decide what kind of escaping you need. To convert things like
<and&as the character entities so they will display properly, then use the right escape method for that.