1

I start out with a string like this : "I would like to:\r\n\r\n1.) Rid this mess\r\n\r\n\2.) Now Please" (this is 'cleaned' user input text).

So essentially my statement would be this :

$query = sanitize($_POST['query']); // gives the result string

I want to remove the "\r\n\r\n"'s from this string. So far I have try to do this by using the following :

$query = preg_replace("/\r\n\r\n/", " ", $query);

or

$query = str_replace("\r\n\r\n", " ", $query);

None seem to work?

However, if I do the following :

$query = "I would like to:\r\n\r\n1.) Rid this mess\r\n\r\n\2.) Now Please";
$query = preg_replace("/\r\n\r\n/", " ", $query); // I tried str_replace() too
var_dump($query);
exit;

I get the output that I desire...

Could someone please explain to me why on earth this is happening and how i could solve the issue?

Any advice, input or suggestions would be greatly appreciated as I am not almost bald from pulling my hair out...

Thank you!

EDIT :

This may help function sanitize() :

function html($text)
{
    return htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
}

function htmlout($text)
{
    return html($text);
}

function cleanInput($input)
{
    $search = array(
        '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
        '@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
        '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
        '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
    );
    $output = preg_replace($search, '', $input);
    $output  = htmlout($output);
    return $output;
}

function sanitize($input)
{
    if (is_array($input))
    {
        foreach($input as $var=>$val)
        {
            $output[$var] = sanitize($val);
        }
    }
    else
    {
        include "C:/wamp/www/includes/inc/main/db.inc.php";
        if (get_magic_quotes_gpc())
        {
            $input = stripslashes($input);
        }
        $input  = cleanInput($input);
        $output = mysqli_real_escape_string($link, $input);
    }
    return $output;
}
Craig van Tonder
  • 7,497
  • 18
  • 64
  • 109
  • 1
    Are we talking about line feeds or `\r\n` literal characters? – Álvaro González Feb 11 '13 at 10:30
  • @ÁlvaroG.Vicario This is the result of removing a line break from some user input text. I assume that the translation in this results results in literal characters as this is what gets stored in my database. I will post the sanitize() code in a second... – Craig van Tonder Feb 11 '13 at 10:34
  • possible duplicate of [Difference between single quote and double quote string in php](http://stackoverflow.com/questions/3446216/difference-between-single-quote-and-double-quote-string-in-php) – Álvaro González Feb 11 '13 at 10:36
  • @ÁlvaroG.Vicario I don't see how that really relates to my question at all... – Craig van Tonder Feb 11 '13 at 10:40
  • If you want to strip literal `\r\n\r\n` characters `str_replace("\r\n\r\n", " ", $query)` will fail to do it because of such difference. – Álvaro González Feb 11 '13 at 10:48
  • @ÁlvaroG.Vicario I understand this more clearly now, thank you for your input, i shall read through that question thoroughly! – Craig van Tonder Feb 11 '13 at 10:58

4 Answers4

1

The only proper solution

  1. Get rid of sanitize() function
  2. Use prepared statements to put your data into database.
  3. use htmlout() function to display user's text back.

You can read more here and here

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • I have always used prepared statements but never really considered the fact that what i was doing was a double job :s I guess i have taught myself something irrelevant ... Although, i do use the function sometimes when text is redisplayed to the user, e.g. in an error situation where "your input of : etc... is invalid"... This would be the correct use for something like that right? In any case, i really appreciate your reply, i think i should put a lot more thought into that!! – Craig van Tonder Feb 11 '13 at 10:55
  • You have an outstanding name too! hehe :) – Craig van Tonder Feb 11 '13 at 10:56
  • What would happen if a user purposefully intended to post malicious code, would it not be better to use something like the cleanInput() function instead of just htmlout()? – Craig van Tonder Feb 11 '13 at 11:06
1

Have you got magic quotes on?

http://php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc

It might be escaping your slashes.

Jamoe
  • 56
  • 2
0

If there's literal \r\n characters in your database, you need to quadruple the slashes.

So you using this should in theory do the trick:

$query = preg_replace("/\\\\r\\\\n\\\\r\\\\n", " ", $query);
Evert
  • 93,428
  • 18
  • 118
  • 189
  • Okay i think i kind of understand now... In my database it gets stored at "\r\n\r\n" and this is the exact output of the text once it has been 'cleaned'... So you're saying I should be escaping the slashes? B.T.W. Not trying to be a stickler but you missed the trailing / :) I'll give it a try and post the result, thanks so much! – Craig van Tonder Feb 11 '13 at 10:44
  • You need four slashes because you are using two contexts where `\r\n` has a special meaning: double-quoted strings and regular expressions. You don't really need any of those here. – Álvaro González Feb 11 '13 at 10:51
0

This worked for me 

$string = preg_replace("/\\\\r\\\\n\\\\r\\\\n/", "", $string);
talonmies
  • 70,661
  • 34
  • 192
  • 269
Simon
  • 1