将html内容保存在mysql数据库中

Question

I am using php and trying save some html contents in mysql database. the html content is generating by ckeditor. The content is something like this-

<p><img align="left" alt="" src="images/1im1.jpg" style="margin:1px 15px 0 0; border:1px solid #cecece; " /> <img alt="If syou love hot sauce" src="images/tit_If-you-love-hot-sauce.jpg" /></p><br>D'elidas is a fine<p>

I am using this in php-

$main_data = mysql_real_escape_string($_POST['content']);

This was working okay in my localhost(xampp). but not working in online. my hosting is using latest version of PHP and MySQL. after saving in online database, I see like this-

<p><img align=\"left\" alt=\"\" src=\"images/1im1.jpg\" style=\"margin:1px 15px 0 0; border:1px solid #cecece; \" /> <img alt=\"If syou love hot sauce\" src=\"images/tit_If-you-love-hot-sauce.jpg\" /></p>br>D\'elidas is a fine<p> 

And that is why the HTML is not displaying correctly in my page. Please help me about this. this is adding slashes before quotes. I want to save exact html and show in front end.

Answer 1

You hosting company probably has magic quotes turned on - http://php.net/manual/en/security.magicquotes.php

You can't disable it in code, but Example 2 here shows a work around http://www.php.net/manual/en/security.magicquotes.disabling.php

Answer 2

It sounds like your host probably has magic_quotes_gpc turned on, which will automatically add slashes to quotes and double quotes on data coming in from $_GET, $_POST, and $_COOKIE.

You might want to create a wrapper function for escaping GPC data. As an example...

function mysql_escape_gpc($dirty)
{
    if (ini_get('magic_quotes_gpc'))
    {
        return $dirty;
    }
    else
    {
        return mysql_real_escape_string($dirty);
    }
}

This way your code is portable, regardless of how the server is configured.

Also, if your production environment supports it, you should consider looking into prepared statements. This way you don't have to worry about escaping your data, however you would still need to UNescape it in the event that magic_quotes_gpc is turned on.

Answer 3

I accomplished this by using the following code segments in php and mySQL database:

Storing into the database. You must use the following code segment in the actual mySQL Insertcall. I found out if you do this to the variable first and then put the variable in the insert call it will not work. The function must be in the mySQL statement.
mysql_real_escape_string($myValue)

Retrieving Into textbox in value. Assuming your values have been already retrieved from the database and now are in an array Called theValues. Basically I am Removing any backslashes but before hand I'm making sure it can be displayed correctly using htmlentities. Since you are no Backslashes in HTML that I know of it fixes it where servers replace quotes with \\". If you do encounter some Back slashes in HTML you'll just have to be a bit more clever in your replacement function.
$myValue= str_replace("\\\\", "", htmlentities($theValues->myValue)); echo $myValue;

echoing out on to a page same reasons as above, but the htmlentities function Makes it only display the text of the HTML Instead of processing the HTML
str_replace("\\\\", "",$myValue)

Answer 4

When you fetch it from the database you need to run a stripslashes() on the HTML string. Right?