html 类更改为 Attributes

Question

i'm trying to send an html code to database and then show the code in index.php this is what i use to send the html code to DB:

when i quote the attributes i get sql syntax error

$result = "          <li>
                <a href=$Link class=external item-link item-content>
                  <div class=item-media><img src=$f_image class=lazy lazy-fade-in style=border-radius: 10px; width=42px height=42px></div>
                  <div class=item-inner>
                    <div class=item-title>
                      $Name <span class=test-bull>&bull;</span>
                      <div class=item-footer>$Info</div>
                    </div>
                    <div class=item-after></div>
                  </div>
                </a>
              </li>

              ";

$sql = "INSERT INTO table1 (test) VALUES ('$result')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
}else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

and this is what i use to show the code in index.php:

<?php

      $sql = "SELECT test FROM table1";
       $result = $conn->query($sql);

 if ($result->num_rows > 0) {
    // output data of each row
     while($row = $result->fetch_assoc()) {
     echo $row ["test"];
 }
 } else {
    echo "0 results";
}

              ?>

now as you can see there is more than one class in my html code:

<a href=$Link class=external item-link item-content>

the problem is when i get the html code from database and show it in index.php the class are changed to attributes like this:

<li>
                <a href="test" class="external" item-link="" item-content="">
                  <div class="item-media"><img src="img/2ff4e.aa.png" class="lazy" lazy-fade-in="" style="border-radius:" 10px;="" width="42px" height="42px"></div>
                  <div class="item-inner">
                    <div class="item-title">
                      test <span class="test-bull">•</span>
                      <div class="item-footer">test</div>
                    </div>
                    <div class="item-after"></div>
                  </div>
                </a>
              </li>

those two class item-link and item-content are now item-link="" and item-content=""

what i did wrong? what i have to change/do?

sorry for my english

Answer 1

You need to add quotes. Try this:

$result = '          <li>
            <a href="'.$Link.'" class="external item-link item-content">
              <div class="item-media"><img src="'.$f_image.'" class="lazy lazy-fade-in" style="border-radius: 10px; width=42px height=42px"></div>
              <div class="item-inner">
                <div class="item-title">
                  '.$Name.' <span class="test-bull">&bull;</span>
                  <div class="item-footer">'.$Info.'</div>
                </div>
                <div class="item-after"></div>
              </div>
            </a>
          </li>

          ';

Answer 2

始终将变量括在大括号之间的字符串中，例如href={$Link}以便编译器可以准确确定变量在哪里以及如何将其值转换为字符串，特别是当变量不单独时（意味着任何其他数字、字母或符号直接与变量联系，如$Link之前的等号）

Answer 3

$result = "This is double quotes, I need html class :) simple <div 
class='class_name_under_single_q'> Content </div>";

$result = 'This is Single quotes, I need html class :) simple <div 
class="class_name_under_double_q"> Content </div>';

<?php
   $result = "<a href=".$Link." class=".external item-link item-content.">";
?>

if you use double quotes then use single quotes under double quotes .
But if you use single quotes then use double quotes under single quotes .

Answer 4

In HTML5 you always have to use quotes (' or ") around the value of html-attributes when the value contains a space or one of these characters: " ' ` = < >. To avoid the sql error, you have to mask the characters that may disturb in SQL context (you have always to do this when you inserting values into an SQL string):

$result = '[…]<a href="'.htmlspecialchars($Link).'" class="external item-link item-content">[…]';
$html = $conn->real_escape_string($result);
$sql = "INSERT INTO table1 (test) VALUES ('".$html."')";
if ($conn->query($sql) === true) {
    echo "New record created successfully";
}

(assuming that $conn contains a mysqli-connection) The call of htmlspecialchars() is necessary because you change the context of the string in $Link to html.

prepared statements are also possible:

$result = '[…]<a href="'.htmlspecialchars($Link).'" class="external item-link item-content">[…]';
$sql = "INSERT INTO table1 (test) VALUES (?)";
if($stmt = $conn->prepare($sql)) {
    $stmt->bind_param("s", $result);
    $stmt->execute();
}