I would like for posts returned from my database, from users, to be formatted the same way they originally input them.
Like when I echo out the text from a row of data it comes out like this:
Hello There.
When the user originally formatted it like this:
Hello
There.
Notice the return? How do I achieve this?
Here is my html:
<form method="post" action="share.php">
<textarea name="story"></textarea>
<div id="share-something-bottom">
<div id="share-something-camera">
<img src="images/camera.png"/>
<button type="submit" class="share"
name="share"><p>Share</p></button>
</div>
</div>
</form>
I am using a varchar field in my database table.
Thanks
Store the formatting in the DB and make sure you escape it before storing it.
If you wish to preserve newlines when you echo them on the page, you need to use nl2br().
echo nl2br($string_from_database);
You could also wrap the string in <pre> tag, but that will also affect the used font (by default).
Related
I extracted some text from an Excel file and stored it in a DB. After that, I fetch this text from the DB and display it on a page.
Below is how the problem looks like on the page:
And this is a screenshot of how it appears in the source code:
How can I format this paragraph to show in page correctly ?
Just try this
<div name="description" ....>
<pre>
.....
here your content
.....
</pre>
</div>
if not work let me know
Take a look at HTML Purifier. Pretty good at cleaning up dirty input.
http://htmlpurifier.org/
I have a side project that I am working on on learning php and sql, mixed with some ajax. I have the following code(samples) that inserts specific data into a database :
index.php -
<textarea class="form-control txt" rows='3' name="data[Address]" id="Address" placeholder="Your Address">
<?php echo isset($results['data']['Address']) ? str_replace("<br />","\n", $results['data']['Address']): ''; ?></textarea>
functions.php -
$data['data']['Address'] = str_replace("\n","<br />", $data['data']['Address']);
sql data -
if($id!=NULL && !empty($id)){
$query = "UPDATE test SET address = '$data' WHERE id = $id";}
Here is my question. Data saves fine into the database, and I can read it back from index.php, but when I go to RE-save it, it adds whitespace before the address field(3 tabs worth), so that when I go to read the data again through index.php, it does not show.
How can I get it to NOT save whitespace, or to remove unneeded whitespace?
Looks like you're storing the contents from the Textarea as HTML in Database. You should always store the "real data" from your $_POST to database. (So newlines stay newlines in your database). The escaping will happen just before you send the data to the browser using htmlspecialchars() or htmlentities().
For your concrete problem try following: Output your POST form-data directly into your textarea:
<form action="#" method="POST">
<textarea name="input"><?= htmlspecialchars ($_POST["input"]); ?></textarea>
<button name="submit1" type="submit">Send it</button>
</form>
Your input-data should appear as you typed it. So use htmlspecialchars() instead of random trim()'ing or nl2br()'ing.
Additionally: Be carefull when building your SQL-Query. Make sure to proper escape each user-editable variable before adding it to the statement. See: http://php.net/manual/en/mysqli.real-escape-string.php
Do it this way:
mysql_query ("INSERT INTO xyz ('val') VALUE ('" . mysql_real_escape_string($_POST["input"]). "')");
Or - even better: Make yourself familiar with some modern and much more secure way of database accessing - like using PDO ( http://php.net/manual/en/book.pdo.php )
I basically have a search form with input:
<input type="text" name="search" />
This ends up sending the user off to:
/search/[URL_ENCODED_STRING]
So if they searched for
http://www.stackoverflow.com/
The url would be:
/search/http%253A%252F%252Fwww.stackoverflow.com%252F
My problem comes with knowing if the input I then read later is safe. I would then on the search page use Drupal's inherent ways of reading the value (arg(1)). But even without drupal, the result would be essential the same. I would end up with:
$variable = urldecode($input);
If I then print out $variable, it will show:
http://www.stackoverflow.com/
My question is, what kind of sanitizing must I apply to this string before using it in SQL? Is it simply "addslashes"? Or should I remove all non alphanumeric and number values?
NOTE
I haven't gotten to that part yet, but I'm fairly certain Drupal will apply it's own sanitization if I pass this variable to the built-in search function, but I still would like to know what the right way is to sanitize this input to avoid malicious users doing strange things on the website.
UPDATE
I got to the part and Drupal does take care of the prepared statement part. But I still don't know how I would sanitize the string when printing it here:
<div id="searchedFor">
<span class="preLabel">You searched for</span>
<h2><?php print $_REQUEST['search']; ?></h2>
</div>
What is the most correct way to print that out?
To sanitize to the page, use htmlentities() or strip_tags() or htmlspecialchars():
<div id="searchedFor">
<span class="preLabel">You searched for</span>
<h2><?php echo htmlentities($_REQUEST['search'], ENT_QUOTES); ?></h2>
</div>
Example:
<?php echo htmlentities("<script>NastyJS('code');</script>", ENT_QUOTES); ?>
<!-- Shows in browser this way -->
<script>NastyJS('code');</script>
<!-- but shows in source this way -->
<script>NastyJS('code');</script>
I have one text saved in MySQL Database
<p> Celebrate with these amazing<br /> offers direct from the
Now when I print that text using
echo
I got this output
<p> Celebrate with these amazing<br /> offers direct from the
but U want to display that as
Celebrate with these amazing
offers direct from the
like HTML print.
when i see in db its stored like bellow
<p>
Celebrate with these amazing<br />
offers from
How to do this?
Assuming your database has saved the escaped information like this:
<p>
Celebrate with these amazing<br />
offers from
Then you could just use PHP's html_entity_decode function to output that block of HTML.
maybe this could help you http://php.about.com/od/phpwithmysql/qt/php_in_mysql.htm
If you are outputting to the console (it's not clear from your question what you are trying to output to):
If you look at the PHP strip_tags documentation, you should be able to reach something approximating what you want. http://uk3.php.net/manual/en/function.strip-tags.php
With strip_tags(), you can allow the tag to remain and then replace it with "\n" afterwards.
Otherwise, if you are outputting to browser, then other posts on this page have the answer - you must be storing the htmlentities() version of the data in the database.
I have a textarea and users can type in it. I want to store what they type in a MySQL database but I want to output it with the right amount of spaces like HTML's <pre></pre>. How can I save their input in a database without ruining these spaces?
My code so far just looks like:
<form action='index.php' method='POST'>
<textarea id='area'></textarea>
<input type='submit' value='submit'>
<?php
$input=$_POST['input'];
//mysql query goes here ()
It has been a while since I did this, but here's what I remember: the database doesn't remove the spaces. Two things control the spacing: the textarea's wrap command and the way you show the data later when you retrieve it from the database.
For my forms (that do this successfully) I use textarea wrap="soft"
Then when you take it out of the database you can use pre tags to show it or if you are using php you can use nl2br() on the text to change newlines to html break tags.