Outputting HTML from the mysql db

Posted: Thu Feb 16, 2006 9:57 pm

Hello everyone. Writing a very simple module that simply takes a bunch of html code...stores it in the db...then later dumps it be rendered later as an html page inside of the nuke framework. Ive run into small problem. When i go to output the HTML it dumps it as literal text with no rendering. Here is the snippet of code:

Code:




$sql = "SELECT * FROM ".$prefix."_html_pages WHERE page_id = '$page_id'";      


      $result = $db->sql_fetchrow($db->sql_query($sql));


      $content .= "<br>" . stripslashes($result['content']) . "<br>"; 


      OpenTable();


         echo "<tr><td>";


         //header('Content-type: text/html', false);


         //echo "$content";


      //$content = '<u>underlined</u><br /> <strong>bold</strong><img border="0" src="modules/HTML_Page_Creator/page_images/packages_primary_big.jpg" />';


      echo $content;


       echo "</td></tr>";


      CloseTable();

As you can see ive tried to manipulate the headers, etc, event tested for shites and giggles to assign what is stored as text and literally printed to the page to a variable and output that. Worked fine that way.

Im sure its something obvious and well known in the nuke world but first time ive tried it so any help is appreciated. Thanks all.

registered · Posted: Thu Feb 16, 2006 10:50 pm

I'm not sure what you mean. "No rendering"?

Posted: Thu Feb 16, 2006 11:49 pm

No = not...not rendering as in rather than actually taking the html and making pretty things its just dumping the html out as if you did a view source and saw the html

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I need to see the raw data that is stored in your table. Please post the simplest example of code that you are storing and also show the php code that you are using to insert the data into the table.

Posted: Fri Feb 17, 2006 7:01 am

np...here is the following spec for the table:

Code:

+----------------+--------------+------+-----+---------+----------------+


| Field          | Type         | Null | Key | Default | Extra          |


+----------------+--------------+------+-----+---------+----------------+


| page_id        | int(15)      |      | PRI | NULL    | auto_increment |


| parent_page_id | int(15)      | YES  |     | NULL    |                |


| page_name      | varchar(100) |      |     |         |                |


| content        | longblob     |      |     |         |                |


+----------------+--------------+------+-----+---------+----------------+

Hopefully that formats right.....

Here is the code that inserts into the table:

Code:

function add_new_page($content, $parent_page_id, $page_name) {


   global $prefix, $user_prefix, $db, $sitename, $admin_file;


   include ("header.php");


    print_navbar();


   //GraphicAdmin();


   $content = htmlspecialchars(addslashes($content));


   $sql_insert = "INSERT INTO ".$prefix."_html_pages VALUES ('', '$parent_page_id', '$page_name', '$content')";


    $sql_select = "SELECT * FROM ".$prefix."_html_pages WHERE page_id = '$parent_page_id'";


    $parent_page_name = $db->sql_fetchrow($db->sql_query($sql_select));

Here is the code that outputs the page when you go to view...i should note that right before the above code tha enters the html into the db, i do a preview page which works fine, difference is is that its coming from the previous pages form input and not a db lookup:

Code:

$sql = "SELECT * FROM ".$prefix."_html_pages WHERE page_id = '$page_id'";      


      $result = $db->sql_fetchrow($db->sql_query($sql));


      $content .= "<br>" . stripslashes($result['content']) . "<br>"; 


      OpenTable();


         echo "<tr><td>";


         //header('Content-type: text/html', false);


         //echo "$content";


      //$content = '<u>underlined</u><br /> <strong>bold</strong><img border="0" src="modules/HTML_Page_Creator/page_images/packages_primary_big.jpg" />';


      echo $content;


       echo "</td></tr>";


      CloseTable();

The actual data in the field is:

Code:

<u>underlined</u><br /> <strong>bold</strong><img border="0" src="modules/HTML_Page_Creator/page_images/packages_primary_big.jpg" />

I cant copy this and put it into a variable and then output it and the html renders fines. It's only when i go from the db directly to a varaiable to output.

Posted: Fri Feb 17, 2006 9:05 am

Try inserting the data without doing htmlspecialchars.

Posted: Fri Feb 17, 2006 9:12 am

I was actually half considering that earlier when i responded...ill reply in a sec with the results of this.

Posted: Fri Feb 17, 2006 9:24 am

I guess maybe i misunderstood the intention of this function. I thought it was supposed to take certain HTML markups and store them as the more universal symoble...such as & being whatever and spaces being  ...that sort of thing. Taking out that call fixed it. Thanks alot!

Posted: Fri Feb 17, 2006 10:09 am

I believe that the purpose of the function and the more exhaustive htmlspecialentities is to prevent users from sticking html into your database. This prevents them, for instance, from sticking script tags that might refer to a script on a different server and do something malicious when executed by a browser. So for anything where you want to prevent that from happening you should use them.

I believe that there are some functions in mainfile that have a certain list of "allowablehtml" (such as bolding, underlining) and will screen out everything else. I haven't looked at them recently. In your case the specialchars function was stopping you from doing what you wanted to do.

Posted: Fri Feb 17, 2006 1:22 pm

Right - the allowed HTML is the check_html function