5

I am trying to add text from a textarea on my site into a MySQL database.

Below is the PHP code that is adding the text to the database.

if (isset($_POST['text']))
{
    $text = sanitizeString($_POST['text']);
    $text = preg_replace('/\s\s+/', ' ', $text);

    $query = "SELECT * FROM profiles WHERE user='$user'";
    if (mysql_num_rows(queryMysql($query)))
    {
        queryMysql("UPDATE profiles SET text='$text' where user='$user'");
    }
    else
    {
        $query = "INSERT INTO profiles VALUES('$user', '$text')";
        queryMysql($query);
    }

}
else
{
    $query  = "SELECT * FROM profiles WHERE user='$user'";
    $result = queryMysql($query);

    if (mysql_num_rows($result))
    {
        $row  = mysql_fetch_row($result);
        $text = stripslashes($row[1]);
    }
    else $text = "";
}

$text = stripslashes(preg_replace('/\s\s+/', ' ', $text));

And below is the code of the form.

<textarea name='text' cols='40' rows='3'>$text</textarea><br />

But when the data is inputted, it shows it in the database correct but not showing it displayed properly. See the images below:

The text that is entered

the text that is entered

How the text is displayed on the page

this is how the text is displayed

How the text is in the database

this is the text in the database

This is the PHP code that displays the text on the page.

$result = queryMysql("SELECT * FROM profiles WHERE user='$user'");

    if (mysql_num_rows($result))
    {
        $row = mysql_fetch_row($result);
        echo stripslashes($row[1]) . "<br clear=left /><br />

Hope you can help!!

EDIT: added extra php code

  • I hope that `sanitizeString` actually runs `mysql_real_escape_string`, otherwise you're running a high risk of SQL injection. And what do you exactly mean by “not showing it displayed properly”? I see two textareas with correct white spaces. How do you display that text? – Marcel Korpel May 02 '11 at 22:57
  • The full code for adding text is above now. Where should I put `mysql_real_escape_string`? –  May 02 '11 at 23:13
  • `stripslashes`? Why do you need that? And what does `sanitizeString` do? – Marcel Korpel May 03 '11 at 08:00
  • The code wasn't written by me. It was written by a colleague and I am styling the site for him. I would like to add Markdown in the future. How would I go about adding this? –  May 03 '11 at 09:39
  • That's a completely different question. A search here and on Google will reveal a lot. But please tell you colleague to learn a few things about security (point him to XSS and SQL injection). That will save you and your customers a lot of trouble. – Marcel Korpel May 03 '11 at 10:02
  • OK I will... So when I display the text I don't need `echo stripslashes($row[1]) . "

    `? Just `echo ($row[1])`? Also about the SQL injection worry, How do I run `sanitizeString` through `mysql_real_escape_string`?     –  May 03 '11 at 17:34
  • It depends: if there are unwanted slashes in your text, you'll have to strip them (but how did they creep into the input, that would be a better issue to deal with: to solve the actual problem). If you want to output text to an HTML page, use `htmlspecialchars` to prevent XSS attacks. And again: what does `sanitizeString` do now? To prevent SQL injection, you'll have to either use `mysql_real_escape_string` to properly escape your input or, better, use parametrized queries. Also see [this answer](http://stackoverflow.com/questions/110575//110576#110576) and its comments. – Marcel Korpel May 04 '11 at 09:06

2 Answers2

9

Your text, unless you're using a rich-text editor, such as Mark-down (as here on Stackoverflow), is styled by your CSS, not by the contents of the textarea itself.

If the problem is preservation of new-lines, then you could run the string through the nl2br($text) function before storing in, or retrieving from, the database.

I'd suggest on retrieval would be better, but that's just my opinion (and I can't offer any evidence to back it up).

David Thomas
  • 249,100
  • 51
  • 377
  • 410
4

Or you can use

echo nl2br($test);
arma
  • 4,084
  • 10
  • 48
  • 63