String containing "<" ">" pulled from db get hidden in html

Wimnat · 18 May 2007 at 01:31

Some of my text fields in the database are "<sometext>". The caveats are important and cant be omitted.

Obviously when they appear in the html they are parsed as html tags and not shown. Aside from scanning each string as it is got from the database and inserted a escape sequence, is there a way to prevent this? Scanning every string is going to be massive overhead!

Mickey · 18 May 2007 at 01:38

PHP: http://uk3.php.net/manual/en/function.htmlspecialchars.php
ASP: http://www.w3schools.com/asp/met_htmlencode.asp
ASP.NET: http://msdn2.microsoft.com/en-us/library/w3te6wfz(VS.80).aspx

RobH · 18 May 2007 at 02:21

You're going to have to encode the angle brackets as > + < otherwise they will be parsed as html.

Can't the data be filtered before it is entered in the database if it is going to be rendered as HTML? If the data in the database is user supplied then it should definatly be filtered otherwise someone could inject whatever they want into the output.

Dj_Jestar · 18 May 2007 at 09:37

Don't parse it before you enter into the db, parse it just before you display it. This will prevent you seeing the special chars when not using html..

Mickey · 18 May 2007 at 10:34

Dj_Jestar said:
Don't parse it before you enter into the db, parse it just before you display it. This will prevent you seeing the special chars when not using html..

What he said.

Wimnat · 19 May 2007 at 02:58

Nevermind