3

i have a text area from which when i try to escape and sanitize through MYSQLi's real_escape function and nl2br and simply output is giving me odd results.

my php code:

 <?php
 $db = new mysqli('localhost', 'user', 'pass', 'demo');

 if($db->connect_errno > 0){
 die('Unable to connect to database [' . $db->connect_error . ']');
 }

 $postText = nl2br($db->escape_string($_POST['posting']));
  ?>

the odd output is :

 i love this\r\n\r\nand this is gonna be funn.,

and strangely when i just use nl2br without real_escape is giving the output fine which obviously can't move ahead with as i cant trust user"s input.

Please help on this..

j0k
  • 22,600
  • 28
  • 79
  • 90
coder101
  • 1,601
  • 2
  • 21
  • 41

2 Answers2

2

You should only apply SQL escaping when the output is going to be used in a SQL query.

  • If you need to output the value onto a page, you use htmlspecialchars() or htmlentities().

  • If it's going to be used in a JavaScript literal, use json_encode().

  • Etc.

In short, each context has their own escaping; don't mix them up.

Also, don't use nl2br() when you write it into the database; rather, apply it after you fetch it from the database.

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
  • from what you have said, i deduced that in the same script i should escape the input, insert into database and then when i have to echo it at the end of the script, i should use a combination of `htmlspecialchars()` and `nl2br()`. I have to follow these steps because it all is done by ajax request. – coder101 Feb 09 '13 at 08:37
  • @coder101 Yeah, that sounds about right; don't apply the escaping onto the same variable though; create one variable to hold the database escaped value and one for the html .. in other words, keep the original value. – Ja͢ck Feb 09 '13 at 08:40
0

Yes, it does.
This function's output is not intended to be printed out. But to format SQL string literals only.
Please note that this function is not intended to "sanitize" whatever input either. Please refer here for the details

So, you should never use these 2 functions together.

  • use escape_string to format SQL strings that you are going to place into query dynamically.
  • use nl2br only when printing your text onto HTML page

According to your question in the comments, there should be no case when you have to print your string back immediately.
Because after every POST request your PHP should response with Location: header to tell browser reload the page. Upon such reload you can read your data bask from database and print it out.

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • i have to escape the string, insert into database and echo the string in the response, all in one script. are u suggesting, even though i should insert the escaped string in DB but should display just using nl2br or should i select from the db using last insert_id and display that output. – coder101 Feb 09 '13 at 08:26
  • well thats not the case as i am doing it all through an ajax request so there is no question of any reload as such. – coder101 Feb 09 '13 at 08:39