0

I'm having lots of trouble preserving the exact look of how a user types out a short paragraph.

My problem is that random slashes and html show up. When people would hit enter while typing the message, "\r\n\" would show up when it's echoed later. I tried fixing that but now when the user types an apostrophe while composing a message, it gets inserted into the database with 3 back slashes, and thus echoed later with 3 back slashes with the apostrophe. Frustrating! I want to just start over!

Here's what I do.

  1. User types a message in an input field and hits submit.
  2. That message gets inserted into the database with type varchar(280) via php.
  3. That message gets echoed via php.

I've tried many different things like nlbr and strip_tags and stripslashes and mysql_real_escape_string and others. I might be using these all in a certain combination that messes it up.

So my question is what is the best way to preserve exactly how someone composes a text paragraph to be later echoed via php to look just like how they typed it?

Tom
  • 917
  • 2
  • 12
  • 23

2 Answers2

4
  1. Make sure Magic Quotes are off or, if you can't disable them, cleanse your strings from them. Read the manual for details: http://www.php.net/manual/en/security.magicquotes.php
  2. When inserting your text into the database, escape it properly for SQL syntax once or, better, use prepared statements. See How can I prevent SQL injection in PHP? and The Great Escapism (Or: What You Need To Know To Work With Text Within Text).
  3. When outputting to HTML, use htmlspecialchars to avoid HTML injection or plain syntax problems and afterwards use nl2br to format line breaks specifically for HTML.

That's basically it.

Community
  • 1
  • 1
deceze
  • 510,633
  • 85
  • 743
  • 889
  • How should the text look like in the database? I have slashes with every apostrophe and I don't know if that is expected. I followed your guidelines. I make sure magic quotes are off and I am using prepared statements. Just curious what it's supposed to look like. For example: "This didn't work." is showing in the database as "This didn\'t work." – Tom Jan 10 '14 at 22:03
  • 1
    The text in the database should look exactly the way it should look. Nothing extra should be in there. – deceze Jan 10 '14 at 22:05
  • Still not working. All I'm doing is the prepared statement step and it's still inserting slashes. Should I avoid turning off magic quotes at runtime since it has been deprecated? – Tom Jan 10 '14 at 22:28
  • Have you read the manual about magic quotes in its entirety, especially the page about disabling it? – deceze Jan 11 '14 at 08:22
  • 1
    @deceze just read your excellent article "The Great Escapism". http://kunststube.net/escapism/ Brilliant work and really cleared things up for me. Thank you very much for taking the time to write such an informed (and humourous) article. Cheers. :-) – John T Nov 29 '14 at 11:30
0

On the second step you need to escape it with mysql function.

But for correct outputing it you need to do following

<pre><?= htmlentities($mysqlRow['data']); ?></pre>

This will get from database result needed information and will outputs it like it is. With all spaces and tabs and html tags in it. (If user enters <html> this will output <html> like text)

Spell
  • 8,188
  • 2
  • 16
  • 19