0

I made a page where users are able to edit text that goes straight into my SQL database. The problem however is that SQL ignores new lines in the HTML textarea. For example, when I type:

  • 1
  • 2
  • 3

It shows "123" when I run a SELECT query. How can I adjust the code so SQL does not ignore new lines in the textarea?

<?php
session_start();
if (!isset($_SESSION['ingelogd']) 
    || $_SESSION['ingelogd'] !== true) {
    header('Location: /xxxx/xxxx/Login.php');
    exit;
}
?>


<CSS code removed>

       <?php
function sanitize($data) {
return stripslashes(strip_tags(mysql_real_escape_string(htmlentities($data))));
}

if (isset($_POST)) {
if (!empty($_POST["inhoud"])) {

$con=mysqli_connect("localhost","root","","db1"); 

if (mysqli_connect_errno($con))
{
echo "Database error: " . mysqli_connect_error();
}
$sanitize_post = $_POST["inhoud"];
$sanitize_post = sanitize($sanitize_post);
mysqli_query($con,"UPDATE tekstpagina SET inhoud='$sanitize_post' WHERE naam='over'");

mysqli_close($con);
}
}



?>

<b>Update:</b>
<form action="" method="post"><br><textarea id="styled" name="inhoud"></textarea>
<br/><input type="submit" value="Bijwerken" name="Update">
   </form>

    </p>
John Conde
  • 217,595
  • 99
  • 455
  • 496
user2329190
  • 45
  • 2
  • 5
  • 6
    I find your "sanitize" function to be terrifying. See my post here: http://stackoverflow.com/a/7810880/362536 – Brad Apr 30 '13 at 20:39
  • 3
    Stop. No. Don't. `mysqli` has a robust escaping system you are completely ignoring. Use `[bind_param](http://php.net/manual/en/mysqli-stmt.bind-param.php)`. **DO NOT** do what you're doing here. [Escape your SQL properly](http://bobby-tables.com/php) or there will be severe consequences. – tadman Apr 30 '13 at 20:40
  • It is "terrifying", Brad. I'm fixing the code after everything is working. – user2329190 Apr 30 '13 at 20:41
  • That sanitize function is... Like a cheddar cheese. Use mysqli and parameterized queries. Example: http://stackoverflow.com/questions/4500070/parameterized-query – Ryoku Apr 30 '13 at 20:41
  • Also, I believe it is also your sanitize function that is stripping the \n needed for line breaks. Otherwise use htmlentities() – Ryoku Apr 30 '13 at 20:42
  • 1
    HTML escaping should be done just before it's rendered to a page, never when stored in the database. You run the risk of double-escaping if that's the case. – tadman Apr 30 '13 at 20:44
  • Thanks guys, I'll remove the function and try your suggestions. – user2329190 Apr 30 '13 at 20:45
  • 3
    `mysql_real_escape_string` adds slashes, you remove them. That seems kind of worse than just using one function. – Ry- Apr 30 '13 at 20:56

0 Answers0