1

I am having a problem regarding data coming from CKEditor textarea field. I am using CKEditor 4.4.1. Whenever I try to submit the content of CKEditor it generates characters \r\n again and again. But it happening only when I am sanitizing my incoming data. Here is my function which sanitizes the incoming content -

// filter user input
public function filter_data($input)
{
    // if magic quotes are on
    if(get_magic_quotes_gpc()) 
    {
        $input = stripslashes($input);
    }
    $sanitized_data = mysqli_real_escape_string($this->con, trim($input));
    return $sanitized_data;
}

And this is how I am calling the above function -

$post_content = $users_obj->filter_data($_POST['txtpostcontent']);

And then I am getting following output in CKEditor -

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat.

\r\n\r\n

\r\n\r\n

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat.

\r\n\r\n

But when I don't call the above function then everything is fine and there is no characters like \r\n in my content.

So I want to know how can I stop these characters from being produced automatically by keeping my sanitizing function on? Is there any way I can sanitized my content and also don't get these characters as well? Thanks.

Amit Kumar PRO
  • 1,222
  • 2
  • 15
  • 27
Sachin
  • 1,646
  • 3
  • 22
  • 59
  • As a general rule, you do *not* sanitize incoming data. You sanitize *outgoing* data, either when storing it or displaying it. Then you can ask yourself why you're using a mysqli_ function if you're not writing to a MySQL database. – Duroth Aug 04 '14 at 07:37
  • Oh dear! This data is going into database and is being saved. so it is going into database tables. And there is not only CKEditor but also some forms whose data should be saved safely. I only want to know how you can prevent these characters \r\n? – Sachin Aug 04 '14 at 10:40
  • Remove the call to `mysqli_real_escape_string()`. You are not inserting into a database **here** (even though you might elsewhere in your code), you are outputting to HTML. Because you escape `\r\n` to `\\r\\n`, CKEditor renders them as text, where they should have been rendered as a newline. – Duroth Aug 04 '14 at 12:09

7 Answers7

2

one more thing is helpful :

$text = str_ireplace(array("\r","\n",'\r','\n'),'', $text);

Amit Kumar PRO
  • 1,222
  • 2
  • 15
  • 27
  • Though this solution did work but caused one another con - it removes all paragraph tags and merges all content into one `

    `. By the way I had tried it before you suggest it now.

     – Sachin Apr 04 '17 at 08:11
2

Use stripcslashes(). I had the same problem in ckeditor 4. I tried many solutions from stack overflow and documentation but nothing worked. So I tried a php function stripcslashes(). Use it where you output the data and where you edit the data.

Danish Memon
  • 191
  • 1
  • 6
0

I have fixed the problem and it turns out to be a very simple setting. In config.js I simply set:

config.FormatOutput = false ;

And it works no more stupid \r\n inserted into my html

mkl
  • 90,588
  • 15
  • 125
  • 265
Amit Kumar PRO
  • 1,222
  • 2
  • 15
  • 27
0

If you are using mysqli_real_escape_string() in php remove this.

Edit: For prevent Injection use prepare() statement.

Edit 2: If still want to use mysqli_real_escape_string(); you can use-

$text = mysqli_real_escape_string($conn, $_POST["description"]);
$description = str_ireplace(array("\r","\n",'\r','\n'),'', $text);
Inderjeet
  • 1,488
  • 2
  • 17
  • 30
  • not a good idea. without it we can't sanitize and prevent sql injection – Sachin Jul 17 '18 at 16:11
  • You can use prepare() statement. It will stop your injection. mysqli_real_escape_string() not prevent all injection as i know. Read this: https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string/12118602#12118602 – Inderjeet Jul 18 '18 at 05:50
  • we can't update our code with prepare() in entire website at this stage. how can we achieve our target still using `mysqli_real_escape_string()`? – Sachin Jul 18 '18 at 17:54
  • In that case, you can use $text = str_ireplace(array("\r","\n",'\r','\n'),'', $text); . It will work – Inderjeet Jul 19 '18 at 05:29
  • @Amit Kumar suggested me the same solution and please see my comment on that. – Sachin Jul 20 '18 at 05:20
0

Can try this

$text = str_ireplace(['\\\\r', '\\\\n'], "", $text);
Nick
  • 138,499
  • 22
  • 57
  • 95
Eric Chan
  • 1
  • Code-only answers are discouraged. Please click on edit and add some words summarising how your code addresses the question, or perhaps explain how your answer differs from the previous answer/answers. Thanks – Nick Dec 20 '18 at 06:00
0

The \r\n is a result of mysqi_real_escape_string escaping new line characters as specified in the php documentation.

If you're only concerned about debugging then you don't need to worry about these. If it's causing you problems because you're using the result for something other than a mysqli function, then you'll need to use a different sanitization that is designed for your use case.

As others have said, it's better to use prepared statements if that's an option.

cjc
  • 731
  • 3
  • 13
  • But what if I have to use `mysqli_real_escape_sequence` without prepared statements for saving ckeditor data in mysql table using PHP? Do we have any other solution? – Sachin Oct 04 '19 at 18:47
  • I'm not sure why that would be the case. You should use either `mysqli_real_escape_string` *or* prepared statements, not both. You should use the output of `mysqli_real_escape_string` as a string directly in your query. The `\r\n` in the output ensures that the new lines (which are used by CKeditor to create paragraphs) are stored correctly in the database. The php documentation has examples of how you do this. – cjc Oct 05 '19 at 21:51
0

Please stop sanitizing data using functions like filter_data. This is not the correct way to do it. In fact the phrase "sanitization" is very ambiguous. It means that you want to remove some information from your data. Most of the time you do not want your application to do that. The data entered by the user should stay as it is. You should design your application in such a way, so that it is able to handle whatever data the user presents.

Magic quotes have been removed from PHP long time ago and get_magic_quotes_gpc() is not there anymore.

mysqli_real_escape_string() should only ever be used if you need to format a string literal for use in SQL statements, something which is almost never needed if you are using parameter binding with prepared statements.

The reason why you have this problem is because you are using this function, which harms your data. Please stop using it and use proper security measures.

Dharman
  • 30,962
  • 25
  • 85
  • 135
  • Ok but a lot of theory. Actually please tell me what should I do in practice? – Sachin Mar 17 '20 at 16:26
  • @Sachin The last sentence is the actual answer. You need to remove that sanitization function. Don't sanitize your data. Use prepared statements and parameter binding with SQL. When you output the data, you should escape it for the medium in which it will be displayed. Don't sanitize anything! – Dharman Mar 17 '20 at 16:40
  • So does websites generally follow this approach? No need to sanitize or filter anything? This is all due to ckeditor and mysqli_real_escape_string() together? – Sachin Mar 25 '20 at 11:24
  • @Sachin Have you read this post? [How can I sanitize user input with PHP?](https://stackoverflow.com/questions/129677/how-can-i-sanitize-user-input-with-php?rq=1). There should be no input sanitizing! And forget about the existance of `mysqli_real_escape_string()`. Use parameter binding with prepared statements. – Dharman Mar 25 '20 at 11:26