Basically, I have an administration area where users are to be able to add information to a MySQL database using a form textarea. The users have little or no HTML knowledge so I'd like them to be able to use their return key to create line breaks instead of <br /> tags, however I also want the use of HTML to be permitted too for future purposes. I also won't want <br /> tags to appear in the textarea after insertion and would like line breaks instead so as not to confuse people - basically display it in the textarea exactly as it was entered.
I've been having difficulty parsing the data though, I've come up with a solution to prevent the line breaks from being stripped but I just really want to know if this is valid - it works, but if I've learned anything recently I know that doesn't mean it's right!
$extra_details_escape = mysql_real_escape_string($_POST['extra_details']);
$extra_details_escape = str_replace('\r\n','LiNeBrEaK',$extra_details_escape);
$extra_details_escape = stripslashes($extra_details_escape);
$extra_details_escape = str_replace('LiNeBrEaK','\r\n',$extra_details_escape);
mysql_query("UPDATE table SET column = '$extra_details_escape' WHERE id = '$id'");
Many thanks,
Joe
Have you tried nl2br() ?
Try this, post string sanitization:
$extra_details_escape = nl2br($_POST['extra_details']);
Related
I have a form where I can also write HTML tags. I must save this textarea preserving every single HTML tag. So here's the code:
foreach($_POST["comment"] AS $key => $value)
{
mysql_query("UPDATE comments SET title= '".$value["title"]."', comment = '".$value['comment']."' WHERE id = '".$value["id"]."'");
}
When I try to save this:
<b>Hello</b>
In MySQL I get this result:
<b>Hello</b>
I must keep every single HTML as it is. If I write <b> I must save exactly <b> in database. I tryed escaping, html etities, quotes, strip slashes (...) but this guy keep saving everything in the wrong way.
p.s. Before you ask yes, description field is TEXT tupe with UTF-8 encoding.
Have you tried using http://php.net/manual/en/function.htmlspecialchars-decode.php on the mentioned value? This should do exactly what you're asking.
try running:
$sStr = '<b>Hello</b>';
echo htmlspecialchars_decode($sStr);
And it will be encoded properly. Feeding that to the database stores the value correct.
Also, but this is more of a side-notice, you really shouldn't save post data without validating the input. I do assume this is just a quick example and not production code? However, just a suggestion.
You need to escape the entry. If you are using the mysql method, you need the mysql_escape_string function like:
$string = mysql_escape_string("<br>Hello</br>");
I've recently thrown together a basic PHP webpage that lists information pulled from an MySQL table and displays it in various sorts. I'm wanting to allow the user to add a new item to the table, edit an item in the list and delete an item in the list without refreshing the page (Ajax).
This currently goes;
To add/edit an article you click on a link which prompts the popover ajax form, and fills it's contents (if editing) by performing the function setEdit(comment) as below;
<a class="popup-button" title="<?php echo $row['comment']; ?>" onclick="setEdit('<?php if($row['comment']){ echo $row['comment']; } else { echo "Enter comment here..."; } ?>');"><?php echo $row['listitem']; ?></a>
The setEdit() comment is as follows;
function setEdit(editcomment)
{
if(editcomment){ document.getElementById('help-us-comment').value=editcomment; }
}
Which is then, after submitting the ajax form, handled by the following php code;
if(isset($_POST['comment_text']))
$comment=$_POST['comment_text'];
$sql = "INSERT INTO table SET
comment='$comment'";
Problem: I'm having constant issues trying to get the database contents through 1, 2, 3 without falling over at a new line, single or double quote. I've tried endless combinations of replacing tags, htmlspecialchars and nl2br with no half successes - where it's got to the point that it's so convoluted and encoded/decoded now that I'm assuming that there is a far simpler and obvious way that I'm missing.
The main problem happens when trying to load the data into the form, typically having either the form fall over and refuse to populate at all (typically by the a link becoming broken by the data extracted i.e. single quote or new line) or the form being populated with special characters instead of plain text to edit.
I've tried to go into as much detail as possible, but if any more is needed I'm happy to provide. Also apologies if this is an obvious fix/mistake, and I'm being an idiot.
You have two problems here: storing and displaying.
To display you should look in to htmlentities that makes it safe HTML (it does all the quotes replacing, html encoding, etc. for you) so that your string to be safe to be displayed as plain text, or as inputs' values.
To store the data, you should sanitize your queries. You could use mysqli and bind parameters, or use mysql_real_escape_string to escape your input manually.
Otherwise, say hi to Bobby Tables ;)
I am new to programming with php.
I've done that:
There is a textarea that user writes text, and it is saved to db. But when listing the entries, the text with html tags are shown as html elements.
For example, "I'm < b >25< /b > years old" is shown "I'm 25 years old".
I want to show it as what user writes on textarea, not applying html rules. And due to this, user can not break multiple lines.
How can I avoid all html properties? is there any function or something else to help me?
Run the posted content through htmlentities:
$var = htmlentities($old_var);
Note: you should also be making sure you're not making yourself vulnerable to SQL injection.
Save it to the database but escape every value that comes from a user to avoid mysql-injections.
Example:
$sqlaction = mysql_query("INSERT INTO posts (text) VALUES ('".mysql_real_escape_string($_POST['text'])."')");
if you want to Show it on a page use htmlentities like this:
<div><?php echo htmlentities($row['text']); ?></div>
I have a form where a user types paragraphs into a text area and then it takes them to another page after they submit. How can I pass whatever they typed to the page after they submit? The text area might have linebreaks and if I use a query string to pass the data, it gives me an error. This is my current code to pass the field:
<?php
if(isset($_POST['form']))
{
$title = $_POST['title'];
$body = $_POST['body'];
header("SubmitForm.php?title=$title&body=$body");
?>
<html>
...html form...
It doesn't work when the text area has line breaks in it.
I would suggest installing a wysiwyg editor to make this easier for you, but i assume that would add some time for the learning curve.
The simplest tips I can give you is to set a CSS attribute for your textarea: white-space:pre so that when it gets submitted, all line breaks get sent as well.
On your server side, you would need to use the nl2br() function, so that when it gets saved on your DB or wherever you store them, all line breaks are converted to HTML breaks.
For your additional reference, I had a similar question like this last year.
You really shouldn't be putting anything that long in a query string in the first place. Look into using sessions to store data across pages instead.
(This is assuming I understood the question right)
urlencode the data in order to pass it via query string.
so I need the user to write a review about an article or book and send it to a DB via PHP but with some basic HTML formatting.. I mean, I have a form , when the user writes the review, the data is sent but without any kind of formatting, If the user want to write in a new line, the text is sent like plain text, I need to get also those new line breaks and simple stuff.
I know how to use PHP and DB connection, I just need to know how to get those new line breakes and stuff..
Use nl2br
Just before printing on the screen data from DB. It replaces \n (new line) as <br>
I recommend storing the data as plaintext, and adding the formatting on the way out. This way if you want to change the way it is formatted then you don't have to update every row in the database.
you can use nl2br() if you just need to newlines to be formatted, and a search-and-replace for anything else.
Have you considered using an existing 'plain text to markup' solution, like Markdown?
It (and others like it) allow your users to write plaintext reviews that will be sensibly formatted. (like stackoverflow uses!)
The PHP function nl2br() basically takes every new line your user enters via the form and converts the new line code to a <br> tag.
An example of using this would be:
$text = nl2br("This is text \nThis is a new line of text");
This would create the following code in your database:
This is text<br>This is a new line of text
When the user hits enter in the form textarea, PHP will pick this up as \n.