1

I have a form where users can enter anything, for instance, suppose a user entered:

Hello World!
This is a new line.

This was written after two new lines.

The data that user submits using the form is inserted in DB:

$data = mysqli_real_escape_string($dbc, $_POST['text']);
$sql = "INSERT INTO data (Data) VALUES ('$data')";
$exec = mysqli_query($dbc, $sql);

Now it gets stored in database but when I fetch the text from the DB to show to the user, it displays:

Hello World! This is a new line. This was written after two new lines.

As you can see, the new lines are ignored. I also want to show line breaks.

I tried:

$data = mysqli_real_escape_string($dbc, str_replace('\n', '<br>', $_POST['text']));

but that doesn't work either. How can I show line breaks when displaying data from mysql?

Marcelo
  • 4,395
  • 1
  • 18
  • 30
Jay Kapoor
  • 21
  • 1

2 Answers2

2

It is best to put your user input into the database unaltered (except for escaping, of course) in case you wish to query against the user input, or change your display behavior later on. That said, upon building your page and displaying the data, use

echo nl2br(htmlspecialchars($row['text'], ENT_QUOTES));

nl2br() converts all the "\r\n" or "\n" to <br /> so that it displays nicely. htmlspecialchars() converts any special characters the user typed into the field originally to proper html escape sequences.

Your code would work, except your \n should be wrapped in double quotes instead of single quotes. Single-quoted strings ignore escape sequences in PHP. However, as shown, a built-in function already exists for accomplishing this.

Jerbot
  • 1,168
  • 7
  • 18
  • This is a much better answer with explanation. – Phil Mar 26 '15 at 21:26
  • No pointing out the flaw/error in this explanation @Phil_1984_? – chris85 Mar 26 '15 at 21:36
  • @chris85 What error? Why don't you mention it yourself if you found an error? – Phil Mar 27 '15 at 20:09
  • @Phil_1984_ i interrupted your first message as that you were the original down voter of this answer, no? The issue is the "Single-quoted strings ignore escape sequences in PHP". They do more than that, they pretty much tell PHP to leave the string alone. I'd direct the user to a few threads on the topic http://php.net/manual/en/language.types.string.php#language.types.string.syntax.single http://stackoverflow.com/questions/3446216/what-is-the-difference-between-single-quoted-and-double-quoted-strings-in-php – chris85 Mar 28 '15 at 05:17
  • @chris85 Why would i commend the answer then downvote it? I suggesting you stop trying to attribute personal blame to votes on SO. They are anonymous for a reason. – Phil Mar 28 '15 at 10:13
  • It was downvoted then later undownvoted almost at the same time of your commenting. Nitpicking it seemed like to me, I saw no reason for this to ever be downvoted. I saw my answer and this answer as solutions and was fine leaving it to the user to pick. – chris85 Mar 28 '15 at 14:45
0

I believe you want nl2br. http://php.net/manual/en/function.nl2br.php The str_replace won't work because you'd need the \n in double quotes. As is you are searching for a literal '\n'.

$data = mysqli_real_escape_string($dbc, nl2br($_POST['text']));
chris85
  • 23,846
  • 7
  • 34
  • 51
  • It is generally considered bad practice to escape for html before even storing data. Store data as is and do output escaping properly when you output. – Phil Mar 26 '15 at 21:32
  • That's the OPs request, and answers the issue. – chris85 Mar 26 '15 at 21:33
  • @Phil_1984_ Could you please elaborate on your down vote here? This answer resolves the user's issue and goes further into detail into why their initial solution didn't work. As well as providing a link to the resource they need for further documentation. – chris85 Mar 27 '15 at 04:47
  • You have mentioned the correct function to solve the problem and your explanation regarding the single quotes is correct. However it's your example of combining mysqli_real_escape_string with nl2br which i have a problem with. These functions do different kinds of escaping. – Phil Mar 27 '15 at 20:17
  • I see now you have just tried to fix the example the OP gave. Unfortunately that example is trying to escape data for output before it is getting saved in the database. This is generally considered bad practice. – Phil Mar 27 '15 at 20:21
  • `nl2br` shouldn't conflict with `mysqli_real_escape_string` escaping. The user wants the data in the db with html line breaks (according to their code) that's what my answer does. Yes it isn't ideal managing the data in the future will be a pain for others but if that's what the OP wants here is the answer. I'd await the user's response before trying to predict what they want and future usages. – chris85 Mar 28 '15 at 05:25
  • I didn't say they conflicted. One is escaping for database and one is escaping for output. Database is not output. It is unclear that the OP wants br tags in the database. But even if he does, it doesn't make it correct to do so. Sometimes what the OP wants is itself wrong. – Phil Mar 28 '15 at 10:04
  • I've stated the same thing numerous times here. The user can do what they want. The two answers here are the solutions. If the user wants more on the topic you're bringing up here is a thread on that, http://stackoverflow.com/questions/9390675/html-tags-in-database-bad-practice-or-good-practice I'm done on this thread. – chris85 Mar 28 '15 at 14:47