MrLeche Posted August 3, 2011 Share Posted August 3, 2011 Hi, I would like to ask your experience when submitting plain html forms particularly <textarea> This is mainly used for description and content. And as such long words and text, it is inevitable to advise end-user to escape every quote and double quote and either type \n or <br /> whenever they needed it to output a new line or carriage return. I'm really not sure how to handle this. I do not know if I need to use a function before inserting to the database, and/or add another function after retrieving. I've google for nl2br(), tried printing it as ' . nl2br($row['content']) . ' concantenated to an HTML tag, but unfortunately It didn't work for me. Anyone? Thanks! Link to comment Share on other sites More sharing options...
HartleySan Posted August 3, 2011 Share Posted August 3, 2011 I believe mysqli_real_escape_string will handle the quotes, so you don't need to worry about that. As for the newlines, just run a string replace like the following before putting the string in the DB: $content = str_replace("\r\n\r\n", '</p><p>', $content); $content = str_replace("\r\n", '<br>', $content); $content = '<p>' . $content . '</p>'; Well, that's one solution. Link to comment Share on other sites More sharing options...
Paul Swanson Posted August 3, 2011 Share Posted August 3, 2011 Another approach would be to run the textarea input values through htmlentities(). There are options for handling quotes, and you might want to consider specifying the ENT_QUOTES flag to convert both single and double quotes to their respective HTML entity. htmlentities() also converts < and > to < and >: which will prevent someone from entering javascript or other code. If you view the source on this page, you'll see that is what the forum software does. Keep in mind, though, that if you want your users to be able to mark some text as bold, italic, etc. they will not be able to do so unless you use a rich text editor widget, such as Tiny_MCE. Also, there is a function to reverse the conversion: html_entity_decode() that will revert the entities to the original characters, should you need to do so. Finally, htmlspecialchars() does an entity conversion, but on a smaller subset of characters. You might find that to be sufficient for your needs. There is a decode function for that, too. See the manual pages I've provided links to for documentation. I would still run the entire converted string through mysqli_real_escape_string, just as an extra precaution. Link to comment Share on other sites More sharing options...
MrLeche Posted August 4, 2011 Author Share Posted August 4, 2011 @HartleySan Thanks for that info I would definitely try that out. Now that I have almost completed encoding content into MySQL, I need do that using the html form through "UPDATE". Thank you for that big help @Paul Swanson Hi, Now I would like to learn about htmlentities(). I have also frequent encounters with tiny_MCE, I had that when customizing joomla. Having said that, I wanted to learn and progress as I have been trained by Sir Larry Ullman's book. I have observe the way he teaches through his books to program everything from scratch. having tiny_MCE over my forms would be very fancy and handy, but I won't learn how it would supress the errors I encounter, at least not for me. No offense to tiny_MCE I think it's really great. uhm. well, what happened to me is I always do a project that sometimes inserting the textarea content with qoutes and carriage works. Then comes a project that it doesn't. Sometimes i get away with it but this time I really wanted to know the absolute uh... discipline? For example, this may be a bit Off Topic. But I always write 'SELECT * FROM database WHERE user_id = ' . $_POST['uid']; There. that syntax always work for me. But if i am string specific it doesn't. So I write it with this example: "SELECT * FROM database WHERE name ='" . $_POST['name'] . "'"; There. that one worked for me. Now if I have to explain to a person when do I get to use the double quote and single on queries interchangeably, I actually don't know how to answer back. all I know is that.. it works. heheheh When I get to try out a working htmlentities() example. I'd be very happy. always read that on PHP.net Manual but the example there isn't too friendly for me. Thanks! Link to comment Share on other sites More sharing options...
Larry Posted August 5, 2011 Share Posted August 5, 2011 Quotes aside, both of those queries are very, very bad, as they allow for SQL injection attacks. Link to comment Share on other sites More sharing options...
MrLeche Posted August 15, 2011 Author Share Posted August 15, 2011 I didn't know about that, I googled and found out that SQL Injection Attack is scary but they only have ASP IIS examples. Do you have a book that discuss this? Thanks! Link to comment Share on other sites More sharing options...
Larry Posted August 15, 2011 Share Posted August 15, 2011 I discuss it in pretty much every one of my PHP or MySQL books, I believe. Link to comment Share on other sites More sharing options...
Recommended Posts