Textarea + Line Breaks + Security

Russinating · 8 Sep 2010 at 10:48

As title, what's the best way of securing and validating textarea inputs going directly into a database whilst allowing line breaks?

I'm using mysql_real_escape_string() at the moment which retains the line breaks in the database (as viewable from phpMyAdmin), but on output onto the site again they're lost. I'm using stripslashes() on output so not sure if this is what's stripping out the line breaks too - if so, what's then the best way of... well, stripping the slashes whilst retaining breaks?

helium · 8 Sep 2010 at 13:51

use the function nl2br() then the line breaks will be turned into the <br /> tag.

That function doesn't do any security checks just sorts out the line break problem

robmiller · 8 Sep 2010 at 14:19

Steal the automatic paragraph-making function from WordPress; it'll convert double new lines to paragraphs, single new lines to line breaks, and is intelligent enough not to insert them between block-level HTML tags and whatnot:

PHP:

/**
 * Replaces double line-breaks with paragraph elements.
 *
 * A group of regex replaces used to identify text formatted with newlines and
 * replace double line-breaks with HTML paragraph tags. The remaining
 * line-breaks after conversion become <<br />> tags, unless $br is set to '0'
 * or 'false'.
 *
 * @since 0.71
 *
 * @param string $pee The text which has to be formatted.
 * @param int|bool $br Optional. If set, this will convert all remaining line-breaks after paragraphing. Default true.
 * @return string Text which has been converted into correct paragraph tags.
 */
function wpautop($pee, $br = 1) {

	if ( trim($pee) === '' )
		return '';
	$pee = $pee . "\n"; // just to make things a little easier, pad the end
	$pee = preg_replace('|<br />\s*<br />|', "\n\n", $pee);
	// Space things out a little
	$allblocks = '(?:table|thead|tfoot|caption|col|colgroup|tbody|tr|td|th|div|dl|dd|dt|ul|ol|li|pre|select|option|form|map|area|blockquote|address|math|style|input|p|h[1-6]|hr|fieldset|legend|section|article|aside|hgroup|header|footer|nav|figure|figcaption|details|menu|summary)';
	$pee = preg_replace('!(<' . $allblocks . '[^>]*>)!', "\n$1", $pee);
	$pee = preg_replace('!(</' . $allblocks . '>)!', "$1\n\n", $pee);
	$pee = str_replace(array("\r\n", "\r"), "\n", $pee); // cross-platform newlines
	if ( strpos($pee, '<object') !== false ) {
		$pee = preg_replace('|\s*<param([^>]*)>\s*|', "<param$1>", $pee); // no pee inside object/embed
		$pee = preg_replace('|\s*</embed>\s*|', '</embed>', $pee);
	}
	$pee = preg_replace("/\n\n+/", "\n\n", $pee); // take care of duplicates
	// make paragraphs, including one at the end
	$pees = preg_split('/\n\s*\n/', $pee, -1, PREG_SPLIT_NO_EMPTY);
	$pee = '';
	foreach ( $pees as $tinkle )
		$pee .= '<p>' . trim($tinkle, "\n") . "</p>\n";
	$pee = preg_replace('|<p>\s*</p>|', '', $pee); // under certain strange conditions it could create a P of entirely whitespace
	$pee = preg_replace('!<p>([^<]+)</(div|address|form)>!', "<p>$1</p></$2>", $pee);
	$pee = preg_replace('!<p>\s*(</?' . $allblocks . '[^>]*>)\s*</p>!', "$1", $pee); // don't pee all over a tag
	$pee = preg_replace("|<p>(<li.+?)</p>|", "$1", $pee); // problem with nested lists
	$pee = preg_replace('|<p><blockquote([^>]*)>|i', "<blockquote$1><p>", $pee);
	$pee = str_replace('</blockquote></p>', '</p></blockquote>', $pee);
	$pee = preg_replace('!<p>\s*(</?' . $allblocks . '[^>]*>)!', "$1", $pee);
	$pee = preg_replace('!(</?' . $allblocks . '[^>]*>)\s*</p>!', "$1", $pee);
	if ($br) {
		$pee = preg_replace_callback('/<(script|style).*?<\/\\1>/s', create_function('$matches', 'return str_replace("\n", "<WPPreserveNewline />", $matches[0]);'), $pee);
		$pee = preg_replace('|(?<!<br />)\s*\n|', "<br />\n", $pee); // optionally make line breaks
		$pee = str_replace('<WPPreserveNewline />', "\n", $pee);
	}
	$pee = preg_replace('!(</?' . $allblocks . '[^>]*>)\s*<br />!', "$1", $pee);
	$pee = preg_replace('!<br />(\s*</?(?:p|li|div|dl|dd|dt|th|pre|td|ul|ol)[^>]*>)!', '$1', $pee);
	if (strpos($pee, '<pre') !== false)
		$pee = preg_replace_callback('!(<pre[^>]*>)(.*?)</pre>!is', 'clean_pre', $pee );
	$pee = preg_replace( "|\n</p>$|", '</p>', $pee );

	return $pee;
}

Russinating · 8 Sep 2010 at 14:33

Cheers Rob.

PHP:

include('../includes/wpautop.php');
$description = mysql_real_escape_string(wpautop($_POST['description']));

Will that do the job then? Do I even need mysql_real_escape_string() with that?

robmiller · 8 Sep 2010 at 14:37

Russinating said:
Cheers Rob.

PHP:

include('../includes/wpautop.php'); $description = mysql_real_escape_string(wpautop($_POST['description']));

Will that do the job then? Do I even need mysql_real_escape_string() with that?

Do it on the way out: insert it into the database with just plain linebreaks, then format it when you want to display it. Think about if you wanted to display the content for editing, in a textarea: you wouldn't want the <p></p> tags there, would you (just like posts on this forum).

Xelene · 8 Sep 2010 at 16:26

always finish stuff with the db's native escape string function, even better use prepared statements.