[RESOLVED] Show everything in a string including <?php echo $id ?>

This is a problem that I couldn’t google the answer of.

I am trying to output a string as it is stored in the database. For example, if I store “<?php echo $id ?>test” and try to output it with php, I only get “test”. This is regardless of whether I used filter_var() function or use htmlspecialchars().

The method I am using to pull data from data base is PDO fetchall.

It is a silly problem because I know this must have been solved uncountable number of times before, but I couldn’t seem to figure it out.

SOLUTION:
Answer is simply that the filter_var function should be applied to user input before storing it in the database using FILTER_SANITIZE_FULL_SPECIAL_CHARS

2 Likes

actually, that’s the least favourable method. you should store the data as is in the database (using prepared statements) and apply htmlspecialchars() when you’re going to output the data. there may be cases, where you want to search your DB for certain keywords (e.g. <?php) that you won’t find if they’re encoded).

@Dormilich, I tried to store everything in the database and then used html filter to output the result. However, since I am implementing a chat window, the user couldn’t have the freedom of sending the complete messages that contain <?php ?> and so.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.