php: i'm stuck, echo escaped textarea

[unwashed potato!]

i have a textarea that i use mysql_real_escape_string on and then do a load of stuff on all the fields like checking isset, numeric, etc.

now when there is a problem i will post back with the problem and echo the values that were submitted into the correct fields.

trouble i'm having is that as the textarea is escaped any new lines i have get turned into \r\n and this is then displayed to the user.

i have searched but can't find the solution so coming to you guys, which I'm sure you will post 2 lines of code which will fix the problem.

so what is it that i'm doing wrong?

thanks

 

[shine]

Use stripslashes - this would partially unescape it, but mysql_escape_string does more than just add slashes to a string.

http://uk2.php.net/stripslashes

 

[unwashed potato!]

Use stripslashes - this would partially unescape it, but mysql_escape_string does more than just add slashes to a string.

http://uk2.php.net/stripslashes

that leaves me with the r and n still appearing though, i know i could replace the /r/n with <br /> but surely there is simpler way to do it? searching says to use nl2br() but again this isn't working though not sure if i'm using it wrong or if it just doesn't do what I'm after

 

[Inquisitor]

Why are you escaping the original form value? Create another variable that is escaped, and use that in the query. If it fails then just echo the original, unescaped one, surely?

 

[unwashed potato!]

Why are you escaping the original form value? Create another variable that is escaped, and use that in the query. If it fails then just echo the original, unescaped one, i'm talking down to you

good idea, but then when it gets stored into the db and then echoed out later on i still have the problem

afaik you should always escape strings that a user has control over, am i wrong in that this doesn't apply for textarea?

 

[Inquisitor]

i'm talking down to you

Sorry, just seemed odd to display an escaped string

good idea, but then when it gets stored into the db and then echoed out later on i still have the problem

The database will remove any escape characters when the query is executed, such that the stored string is just as it should be, so you shouldn't have any problems in displaying the text stored in the database, unless you're applying other escaping to it or something.

afaik you should always escape strings that a user has control over, am i wrong in that this doesn't apply for textarea?

No, you're right; any kind of user input that's going to be a) used in database queries, b) used in some way with the file system, or c) displayed to the user in HTML, should be escaped appropriately, regardless of where it came from. This includes cookies and other such things.

 

[shine]

Had to dig around in my code and I'm using htmlspecialchars - give that a try.

 

[unwashed potato!]

The database will remove any escape characters when the query is executed, such that the stored string is just as it should be, so you shouldn't have any problems in displaying the text stored in the database, unless you're applying other escaping to it or something.

only other thing i am doing is before escaping the string i am saying if magic quotes is on remove them, and then i escape the string. would this be why it's being displayed with the /r/n?

No, you're right; any kind of user input that's going to be a) used in database queries, b) used in some way with the file system, or c) displayed to the user in HTML, should be escaped appropriately, regardless of where it came from. This includes cookies and other such things.

yeah thats what i thought just wanted to make sure

shine: i will have a look at what you suggested after work, thanks

 

[Inquisitor]

only other thing i am doing is before escaping the string i am saying if magic quotes is on remove them, and then i escape the string. would this be why it's being displayed with the /r/n?

Nope, the \r\n is being put there by mysql_real_escape_string. Like I said, when it goes into the database it'll be replaced by an actual new line again, so that when you retrieve it from the database it won't have any escape characters in it.

Again, if you're displaying it on the form again, you just need to use the original input, before it was escaped for the database (remembering to escape it for HTML display using htmlspecialchars or htmlentities, of course). That way there'll be no database escape characters shown in the form.

 

[unwashed potato!]

ok still having problems with this, no matter what i try i can't get it to display properly replacing the /r/n with line breaks.

anyone able to help me out?

 

[Inquisitor]

Is this occurring with data that've been retrieved from the database, or during form validation? Could you post your code?

 

[unwashed potato!]

oops double post

 

[unwashed potato!]

pretty much what is going on

if (get_magic_quotes_gpc()) {
$description = stripslashes($_POST['description ']);
}

else {
$description = $_POST['description '];
}

$description = mysql_real_escape_string($description , $serverConnect);

$insertQuery = sprintf("INSERT INTO mytbl (description) VALUES ('$description' ") or die(mysql_error());

then to view

$displayDB = mysql_query("SELECT * FROM mytbl WHERE description='description'", $serverConnect) 
or die(mysql_error());  

while($displayArray = mysql_fetch_array( $displayDB )) {
    
echo "description:<b> " . $displayArray['description'] . "</b><br />";

if i do a preg_replace of \r\n to <br /> that works after have selected it from database and then viewing it, however doing what you said by if there is a problem just display the post value still has problems even though i haven't done anything to it other then post it. could this be the problem?