I have a system set up for users to submit their articles into my database. Since it will just be HTML, I don't want to expect them to know to type <br /> every time there's a newline, so I am using the PHP function nl2br() on the input.
I'm also providing an article modification tool, which will bring their articles back into the form (this is a different page, however) and allow them to edit it. In doing this, the <br /> elements were appearing also (with newlines still). To remedy the elements appearing (which I had expected, anyway) I added preg_replace('/<br(\s+)?\/?>/i', "\n", mysql_result($result,$i,"content")) which I had found in another question on this site. It does the job of removing the <br /> elements, but since it is replacing them with newlines, and the newlines would have remained originally anyway, every time the post is edited, more and more newlines will be added, spacing out the paragraphs more and more each time. This is something a user won't understand.
As an example, say I enter the following into the article submission form:
Hello, this is my article.
I am demonstrating a new line here.
This will convert to:
Hello, this is my article.<br />
I am demonstrating a new line here.
Notice that, even though the newline character was converted, there is still a newline in the text. In the editing form, the <br /> will be converted back to newline and look like this:
Hello, this is my article.
I am demonstrating a new line here.
Because the <br /> was converted to a newline, but there was already a newline. So I guess what I'm expecting is for it to originally be converted to something like this:
Hello, this is my article.<br />I am demonstrating a new line here.
I'm wondering ... is there a way to stop the nl2br() function from maintaining the original newlines? Might it have to do with the Windows \r\n character?
The function you're using, nl2br is used for inserting them, but not replacing them. If you want to replace \n with <br /> you just need to use str_replace. Like so:
$string = str_replace("\n","<br />",$string);
There is absolutely no need for regex in this situation.
It seems like the problem you described is not a bug, but a feature of bl2br. You could just write your own function for it, like:
<?php
function NlToBr($inString)
{
return preg_replace("%\n%", "<br>", $inString);
}
?>
I found this one in the comments of the documentation of the nl2br-function in the PHP Manual: http://php.net/manual/de/function.nl2br.php. If the one I posted did not work for you, there should be plenty more where it came from.
(Or just use the function from the other Answer that was just posted, I guess that should work, too)
This should fix it:
preg_replace('/<br(\s+)?\/?>(?!\s*\n)/i', "\n", mysql_result($result,$i,"content"))
You cannot simply remove the breaks, because they might be on the same line. This regex will replace all breaks with newline but not those that are followed by the newline.
It will leave the <br>\n in the text. Additional regex will get rid of them:
preg_replace('/<br(\s+)?\/?>/i', "", $res)
Related
This is my first post at stackoverflow.
I need to ask few simple :D questions related to PHP sanitizing inputs and really grateful for anyone who could assist me :)
1)Ok, well when I run get_magic_quotes_gpc() it returns false. Which means magic quotes are turned off. is this correct?
2) Should I sanitize any user entered string using stripslashes(),htmlentities() & strip_tags() when magic quotes are turned off?
3) Even though magic quotes are turned off when I enter characters such as \ or some other character my program has no ability to avoid them. Why is that?
4) Then I modified my program to call a function to clean the string before it is processed. Even though the string is cleaned it still shows those unwanted characters. is there anything wrong in sanitizeString() function
Below is my code, related to question 3)
(The program is supposed to convert Fahrenheit into Celsius or vice versa )
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<form action="TemperatureConverter.php" method="post">
<label>Fahrenheit</label><input type="text" name="f" size="10"/><br>
<label>Celsius</label><input type="text" name="c" size="10"/><br>
<input type="submit" name="submit" value="SUBMIT">
</form>
</body>
</html>
<?php
$f='';
$c='';
if(isset($_POST["f"])){
$f= sanitizeString($_POST["f"]);
}
if(isset($_POST["c"])){
$c=sanitizeString($_POST["c"]);
}
if($f!=""){
$c=(5/9)*($f-32);
echo $f.' Fahrenhite is equal to '.$c.' Celsius ';
}
else if($c!=""){
$f=$c*(9/5)+32;
echo $c.' Celsius is equal to '.$f.' Fahrenhite ';
}
function sanitizeString($str){
$str= stripslashes($str);
$str= htmlentities($str);
$str= strip_tags($str);
return $str;
}
I guess I have posted my code properly which adheres to rules of stackoverflow. If not sorry. :(
In your example as you know the input to be a number, it would be best to simply check for that, rather than attempting to add additional filtering.
for example,
if(isset($_POST["f"])){
$inFahrenhite = trim($_POST['f']); // remove any leading/trailing spaces
if (is_numeric($inFahrenhite)) $f = $_POST['f'];
}
The above code validates that the input is numeric. Since you are expecting a number anything else is invalid and can be ignored.
Other questions.
Yes, it means the settings is turned off.
All filters are not required. There is no need to allow html values if the input should be a number. Using http://www.php.net/manual/en/book.filter.php would be a start.
Magic Quotes only escapes certain characters. The settings is to be deprecated, so you should avoid using it.
These functions only work to ensure that the characters are escaped properly. For example, an & would get converted to &. There is still an & there, but it now has a different purpose.
There're endless poorly written outdated PHP tutorials out there that basically suggest that sanitization is a magic process that automatically fixes your data to avoid any potential vulnerability. Many developers accept that as a fact and apply the recommended functions without even looking up in the documentation to find out what they really do. As a result, they not only write vulnerable applications but they corrupt legitimate user data in the process.
My advice:
Read the docs for any function you use for the first time
Understand what problem you need to solve
Think whether the function does something to solve that problem
For instance:
strip_tags — Strip HTML and PHP tags from a string
Example #1 strip_tags() example
<?php
$text = '<p>Test paragraph.</p><!-- Comment --> Other text';
echo strip_tags($text);
echo "\n";
// Allow <p> and <a>
echo strip_tags($text, '<p><a>');
?>
You have a temperature conversion tool. Does it make the sense to remove HTML tags from Fahrenheit degrees?
But imagine you have a site to post HTML snippets. Now you have HTML, it make sense to use HTML functions on it, doesn't it? But, why would you want to remove HTML from a HTML snippet? You'd make your site useless! The problem you need to solve is to inject those snippets into the site and get them displayed as raw HTML rather than getting rendered. To do so you need to e.g. convert every < symbol into <.
This question already has answers here:
Echo from MySQL database with spaces and line breaks?
(2 answers)
Closed 9 years ago.
i have a little problem with the text to be readed from my database.
After the user has confirmed their new post, it saves in the database like this ( like i want it to do).
but in the webpage, it will ignore these lines, and just echo out everything on the same line.
Here is a bit my source code:
$objekttekst=str_replace("\\r\\n", "<br>", $obj->innhold);
$objekttittel=$obj->tittel;
?>
<h2><?=$objekttittel?></h2>
<p><?=$objekttekst?></p>
could someone help me out? thanks
Use nl2br() function.
$objekttekst = nl2br($obj->innhold);
The input textarea is pre-formatted, which means that it will show any newlines that the user enters. However, HTML rendered (web browser) does not display any newlines from the input, unless newlines are explicitly inserted with tags such as <BR>.
You have several options here. For sure these three are not your only options, but they are the ones I have personally been using most often.
Form textarea with pre-formatted text
If you want to display the data (objekttekst) in a similar textarea where the input was given, you could do:
<h2><?=$objekttittel?></h2>
<p><textarea><?=$objekttekst?></textarea></p>
This would suit you best in a situation where the user needs a possibility to edit the entry.
Preformatting
If you want to display the text as it is, you can always surround it with <PRE>...</PRE>. That will show any newlines, indentations etc. Note that this will make the output use a fixed-width font such as Courier New.
Convert newlines to <BR> tags
Use function nl2br() as already mentioned in another answer. See: http://php.net/manual/en/function.nl2br.php for more information.
Additional note...
You might want to look into regular expressions, as in many cases you might want to do also some other modifications to your data before showing it in the HTML page. nl2br() will take care of newlines, but for other and more complex modifications you should learn regular expressions.
You can surround your string with <pre> tag instead of replacing \n with <br>
Example:
<?php
$objekttekst=$obj->innhold
$objekttittel=$obj->tittel;
?>
<h2><?=$objekttittel?></h2>
<p><pre><?=$objekttekst?></pre></p>
Okay, so I've got a program that converts nl2br, and prints the output to a console window. Though it prints along with the output data, the <br />. I'm fine with it and all, if I can't remove/hide it without all the output melding together, but I'd rather hide/remove it if possible. Any suggestions are thankfully accepted.
-Example-
What console says:
: Output here!<br />
What I want:
: Output here!
I've tried substr($out, 5), trim(), and that's all I could come up with. All those did was meld the output together.
It's not totally clear, but I suspect you misuderstood nl2br. As the name suggests, it adds for each "newline" a "br" before, so that in HTML (which treats newlines like spaces in text) you will see actualy the text continuing in the next line. When you print to console, the console interprets usually the newline as a newline and so a new line begins. You do not have to use nl2br if you want to output "it" to console. (See nl2br for details).
That's what nl2br() does, changes new line character \n to <br />.
If you want, take those out, you can use str_replace()
str_replace("<br \/>", "", $output);
I've asked this question before but I didn't seem to get the right answer. I've got a problem with new lines in text. Javascript and jQuery don't like things like this:
alert('text
text);
When I pull information from a database table that has a break line in it, JS and jQuery can't parse it correctly. I've been told to use n2lbr(), but that doesn't work when someone uses 'shift+enter' or 'enter' when typing text into a message (which is where I get this problem). I still end up with separate lines when using it. It seems to correctly apply the BR tag after the line break, but it still leaves the break there.
Can anyone provide some help here? I get the message data with jQuery and send it off to PHP file to storage, so I'd like to fix the problem there.
This wouldn't be a problem normally, but I want to pull all of a users messages when they first load up their inbox and then display it to them via jQuery when they select a certain message.
You could use a regexp to replace newlines with spaces:
alert('<?php preg_replace("/[\n\r\f]+/m","<br />", $text); ?>');
The m modifier will match across newlines, which in this case I think is important.
edit: sorry, didn't realise you actually wanted <br /> elements, not spaces. updated answer accordingly.
edit2: like #LainIwakura, I made a mistake in my regexp, partly due to the previous edit. my new regexp only replaces CR/NL/LF characters, not any whitespace character (\s). note there are a bunch of unicode linebreak characters that i haven't acknowledged... if you need to deal with these, you might want to read up on the regexp syntax for unicode
Edit: Okay after much tripping over myself I believe you want this:
$str = preg_replace('/\n+/', '<br />', $str);
And with that I'm going to bed...too late to be answering questions.
I usually use json_encode() to format string for use in JavaScript, as it does everything that's necessary for making JS-valid value.
How do I detect a carriage return/new line character in a text area in PHP?
I want to replace them with <br /> tags before storing it in the database.
There's a php constant for this:
When do I use the PHP constant "PHP_EOL"?
Also look into nl2br().
My advice: "don't do it".
Just store the line breaks in the db, but render it to <br /> only when producing the output. Otherwise you'll have the problem of replacing the <br /> when you want to use that data in a different context.
For that, you can use nl2br
See: http://php.net/manual/en/function.nl2br.php
Just nl2br it ;)
PS: Don't apply the function when inserting to the database (use only SQL escaping here). Apply the function as soon as you want to output the text to HTML.
I know this is v-old but just wanted to make a note here, perhaps even for myself! The eols here need to be in double quotes, otherwise It just won't work. See below...
$eols = array(",","\n","\r","\r\n");
$text_area = str_replace($eols,'<br />',$_POST['text_area']);
Hope this helps someone not waste time like I just did for 30mins!
You may use nl2br(). Please note that it will convert \n and \r\n to <br />\n.
You can use the nl2br() function. This will insert <br/> as necessary.
It is generally my preference to leave the HTML formatting out of the DB (unless it was in the source material). You never know when you may want to use the clean version for other purposes.
Try this:
$text_area = str_replace(PHP_EOL,'<br/>', $text_area);
Using str_replace