-2

My string-filter functions puts this string

<b>enter</b>
Testing & so. "Some quote here";

into the database like this

&amp;#60;b&amp;#62;enter&amp;#60;/b&amp;#62;&amp;#13;&amp;#10;Testing &amp;#38; so. \&amp;#34;Some quote here\&#34;;

I echo it like this: stripslashes(htmlspecialchars_decode(...));

which gives me:

<b>enter</b> Testing & so. "Some quote here";

How can I echo this string WITH the new line, but without allowing it to decode all the other html entities?

I've tried html_entity_decode(), but this also makes enter bold...

Thanks!

binoculars
  • 2,226
  • 5
  • 33
  • 61
  • only *decode* seems wrong word here – Mr. Alien Jan 24 '14 at 11:26
  • what for you encoder entities while putting into DB? you should only do that on display – Marcin Orlowski Jan 24 '14 at 11:26
  • 1
    That's some horrible handling of encodings and escapes. Please start here: [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) – deceze Jan 24 '14 at 11:27
  • For the life of me, I can't see why you got to -2 for this question :) – Nick Jan 24 '14 at 11:29
  • possible duplicate of [Preserve and display text exactly how it is typed and submitted](http://stackoverflow.com/questions/21045667/preserve-and-display-text-exactly-how-it-is-typed-and-submitted) – deceze Jan 24 '14 at 11:30
  • Why is it horrible? I use this to filter the string: $input=filter_var($input, FILTER_SANITIZE_SPECIAL_CHARS); – binoculars Jan 24 '14 at 11:30
  • 1) You double escape everything. 2) Why `stripslashes`? You only ever need it for magic quotes, which should be off anyway. 3) Never escape anything for the wrong medium. In this case: Why double HTML encode text which goes into the database, which has nothing to do with HTML? – deceze Jan 24 '14 at 11:33
  • (edited my comment above, still horrible?) thanks for replies! – binoculars Jan 24 '14 at 11:35
  • Yes. I would never want to see text like *"&#60;b&#62;enter&#60;/b&a"* in my database (unless a user explicitly typed exactly that). – deceze Jan 24 '14 at 11:48
  • I see... so the right way to do it, is to put the text "as is" in the database, and when echo-ing, runing filter_var? Isn't their a possible security issue then (I use prepared statements)? – binoculars Jan 24 '14 at 12:32
  • 1
    Yes, *escape* for the medium that you are outputting to, no sooner than you're outputting to it. There's no security issue if you do escape your data. It's actually safer to have `echo htmlspecialchars($text)` right in your templates, because you are *sure* it's HTML escaped. Just `echo $text` means you're relying on other code to do this before, which is insecure. – deceze Jan 24 '14 at 13:10

1 Answers1

1

Try with

$text = nl2br($text);

It will transform newlines to br

Mario Radomanana
  • 1,698
  • 1
  • 21
  • 31
  • 1
    This will not transform newlines to `
    `. It will insert `
    ` before the new lines. Here's a good comment on the PHP documentation on how to replace the new lines for windows/unix/mac: http://php.net/manual/en/function.nl2br.php#73440     – Wes Apr 17 '18 at 14:17