When displaying large text blocks from your database you must sometimes deal with special characters, when this large text blocks are displayed on your webpage white space and line breaks are not being preserve, characters like <, >, & are interpreted as HTML instead of being displayed as is and other special characters are not being protected properly, therefore the output would not display as you wanted it to be.
Lets say you have a guestbook, a user decided to post on your guestbook and he/she decided to use the bold tab <b></b>, your browser will interpret this as HTML and because of that the user message will be bold as shown in example below.
Example
User posting his/her message
The query output
Not a lot of harm on that one but remember that there are other HTML tags that could cause more major problems when a user decided to use it. (ex. header tags, meta refresh, etc.)
So how do we fix this problem? Thankfully PHP comes with a number of functions particularly designed to solve this problem.
strip_tags() - this enables you to strip all HTML and PHP tags out of a string returning only the ASCII output.
htmlentities() - this would display HTML characters like <, >, & "as is" therefore preventing your browser to interpret it as HTML.
We will now be using the above function from our previous example.
Display the bold tag using strip_tags function
Display the bold tag using htmlentities function
As you can see the HTML tags are gone in our first example and the HTML tags are displayed as is in our second example.
Lets say you have a news publishing system. You want to display two separate paragraph into your news so you would type something like this on your form.
This would be the result when this text blocks are outputted from your database.
As you can see the two paragraph are not separated as you wanted it to be, to solve this problem we use the function below.
nl2br() - this automatically preserve new lines in a text block by converting then to HTML <br /> tag.
Here's the previsous example using nl2br functionThe two paragraphs are now separated into two lines using the nl2br function.
When inserting text into your database you must escape single quote, double quote and backlash or you will get a SQL syntax error on your code. You can use the function below to avoid this.
addslashes() - This will automatically escape any single quote, double quote and backlash on any GET/POST/COOKIE data.
** IMPORTANT: If magic_quotes_gpc is enable on your webhost server (enable by default) you dont need to use the function above as it automatically add a backlash on all single quote, double quote and backlash. If you want to check if magic_quotes_gpc is enable you can use the code below.
<?php echo "magic_quotes_gpc is ".(ini_get("magic_quotes_gpc") ? "enabled" : "disabled")."."; ?>
Save the code to whatever you want and just run it. magic_quotes_gpc may look friendly but its not! Remember that this can be turn on or off so if you have a script that you run on your webhost server that has magic_quotes_gpc enable then you pass the same script to your friend and his webhost has magic_quotes_gpc disable then we got problem as your friend still need the escaping character (addslashes function) because magic_quotes_gpc is not enable on his webhost server!
Makes sense? No? Ok have a look at this link.
Ok I have try my best to explain everything, hopefully you learn something new. Please remember that there are other PHP functions to handle this kind of things like htmlspecialchars() or stipslashes(). Have a look at PHP String Functions and see if you can find what you're looking for. Good luck and happy coding!