Home/ Questions/Q 8179593
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T00:02:14+00:00

Gah, I never liked PHP, it’s so impure… Now I have to use it

  • 0

Gah, I never liked PHP, it’s so “impure”…

Now I have to use it and I have a problem with it: mainly neither html_entity_decode nor htmlspecialchars_decode seem to work for me. I’ve looked this forum all of over and nothing. It seems to work everywhere, just won’t work here…

I’m sending the title of a movie to a database, all encoded, then when I’m getting it from the DB, I’m decoding it with this:

$title = html_entity_decode($row['Title']);

And then:

"title":"'.$title.'"

It’s part of a JSON object which I’m creating with PHP. Although when I look at the properties of that particular object, it doesn’t have its title decoded, actually nothing at all changes. I tried both functions as stated in the title of the question and tried encoding like UTF-8, also some of the options like ENT_QUOTES or ENT_COMPAT but it still won’t work.

Can someone please tell me why the heck PHP won’t obey me ?

Edit:
Here’s the entirety of what I’m doing there:

echo 'var serverVideos = [';
while($row = mysql_fetch_array($result))
{
    $currentRow++;
    $data = array('posterSrc' => $row["Poster_name"],
        'videoSrc' => $row["Video_name"],
        'videoType' => $row["Type"]);

$title = html_entity_decode($row['Title']);
$poster = html_entity_decode($row['Poster_name']);
echo'{"id":"'.$row["ID"].'", "vimeoID":"'.$row["VimeoID"].'", "title":"'.$title.'" ,"client":"'.$row["Client"].'" , "production":"'.$row["Production"].'", "type":"'.$row["Type"].'", ';
            if($row["Type"] != "vimeo")
            {
                echo '"href":"'.http_build_query($data).'"';
            }
            else
            {
                echo '"href":"'.$row["Video_name"].'"';
            }
            echo ', "poster":"'.$poster.'"}';

            if($currentRow != $rowNumber)
            {
                echo ',';
            }
        }
        echo '];';

Sorry, it’s a little messy, in notepad++ it looks better ; /
I’m actually outputing it in a script tag to make an object and I looked at json_encode and didn’t really understand how it could help me, because I don’t know how would I use with this much variables, sorry.

Also, here’s the code from the source after making an tag with javascript using variables from that JSON object:

<a production=" " client=" " title="O.S.T.R &amp;quot;Track #12&amp;quot;" href="http://player.vimeo.com/video/43886787?title=1&amp;amp;byline=1&amp;amp;portrait=1" rel="shadowbox" class="box">

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    (I couldn’t get this to fit in a comment, so it’ll have to be an answer.)

    The real problem here is the way data is being put in your database. Let’s take a look at the sample string you gave:

    $raw="O.S.T.R &amp;quot;Track #12&amp;quot;";
echo html_entity_decode($raw);
//   O.S.T.R &quot;Track #12&quot;
echo html_entity_decode(html_entity_decode($raw));
//   O.S.T.R "Track #12"

    So the user input was O.S.T.R “Track #12”

    The key concept here is that that is exactly how it should have been stored in the database. Because that is the actual data. Don’t store modified versions in your database. Instead, escape the data appropriately for however you need to output it.

    Here is the sample data I’ll use for the following few examples:

    $title='O.S.T.R "Track #12"';
$description='A&B or A\B ??';

    So, when you write the data in an SQL statement you use addslashes (or prepared statements, but I’ll show the addslashes approach here):

    $sql="INSERT INTO xxx(title,description) VALUES('".addslashes($title)."','".addslashes($description)."')";
//   INSERT INTO xxx(title,description) VALUES('O.S.T.R \"Track #12\"','A&B or A\\B ??')

    For json encoding, use json_encode:

    $json=json_encode( array('title'=>$title,'description'=>$description) );
//   {"title":"O.S.T.R \"Track #12\"","description":"A&B or A\\B ??"}

    For encoding as csv, in a log file, use fputcsv:

    $fp=fopen("my.csv","a");
fputcsv($fp, array($title,$description) );
fclose($fp);
//   "O.S.T.R ""Track #12""","A&B or A\B ??"

    For output as HTML, use htmlspecialchars() (or html_entity_encode()):

    $html='<h3>'.htmlspecialchars($title).'</h3>';
$html.='<p>'.htmlspecialchars($description).'</p>';
//   <h3>O.S.T.R &quot;Track #12&quot;</h3><p>A&amp;B or A\B ??</p>

    Now, perhaps I still haven’t convinced you, and you still really want to store HTML-ready data in your database, and suffer the extra step to un-htmlify it each time you want to use it for anything else? In that case your sample string should have looked like:

    O.S.T.R &quot;Track #12&quot;

    Whereas your string looked like:

    O.S.T.R &amp;quot;Track #12&amp;quot;

    Do you see the difference? The first one has had html entities encoded exactly once. A call to html_entity_decode() will decode it correctly. The second one has had them encoded twice. It is no longer encoded as html entities. It is what we shall call double-entity-encoded-format or DEEF for short. There is no deef_decode() function in PHP, or any computer language that I’ve ever heard of, not even the ones more pure than PHP. The reason for that is because nobody needs this function.

    SUMMARY: You have a bug in your code that writes to their database. You are receiving the strings with entities already encoded, but you are encoding them again before writing them to the database.

    CONCLUSION: Going back to the key concept I gave above, you should decode those html entities away before writing them to the database, not encode them a second time. BUT, when you make this change, make sure all code that takes data from the database and puts it into HTML or XML knows that it now has to encode entities.

    • 0