Jump to content
Larry Ullman's Book Forums

Recommended Posts



I would like to ask your experience when submitting plain html forms particularly <textarea> This is mainly used for description and content. And as such long words and text, it is inevitable to advise end-user to escape every quote and double quote and either type \n or <br /> whenever they needed it to output a new line or carriage return.


I'm really not sure how to handle this. I do not know if I need to use a function before inserting to the database, and/or add another function after retrieving.


I've google for nl2br(), tried printing it as ' . nl2br($row['content']) . ' concantenated to an HTML tag, but unfortunately It didn't work for me.





Link to post
Share on other sites

I believe mysqli_real_escape_string will handle the quotes, so you don't need to worry about that. As for the newlines, just run a string replace like the following before putting the string in the DB:


$content = str_replace("\r\n\r\n", '</p><p>', $content);

$content = str_replace("\r\n", '<br>', $content);

$content = '<p>' . $content . '</p>';


Well, that's one solution.

Link to post
Share on other sites

Another approach would be to run the textarea input values through htmlentities(). There are options for handling quotes, and you might want to consider specifying the ENT_QUOTES flag to convert both single and double quotes to their respective HTML entity. htmlentities() also converts < and > to < and &gt: which will prevent someone from entering javascript or other code. If you view the source on this page, you'll see that is what the forum software does. Keep in mind, though, that if you want your users to be able to mark some text as bold, italic, etc. they will not be able to do so unless you use a rich text editor widget, such as Tiny_MCE. Also, there is a function to reverse the conversion: html_entity_decode() that will revert the entities to the original characters, should you need to do so. Finally, htmlspecialchars() does an entity conversion, but on a smaller subset of characters. You might find that to be sufficient for your needs. There is a decode function for that, too. See the manual pages I've provided links to for documentation.


I would still run the entire converted string through mysqli_real_escape_string, just as an extra precaution.

Link to post
Share on other sites



Thanks for that info I would definitely try that out. Now that I have almost completed encoding content into MySQL, I need do that using the html form through "UPDATE". Thank you for that big help


@Paul Swanson




Now I would like to learn about htmlentities(). I have also frequent encounters with tiny_MCE, I had that when customizing joomla. Having said that, I wanted to learn and progress as I have been trained by Sir Larry Ullman's book. I have observe the way he teaches through his books to program everything from scratch. having tiny_MCE over my forms would be very fancy and handy, but I won't learn how it would supress the errors I encounter, at least not for me. No offense to tiny_MCE I think it's really great. uhm. well, what happened to me is I always do a project that sometimes inserting the textarea content with qoutes and carriage works. Then comes a project that it doesn't. Sometimes i get away with it but this time I really wanted to know the absolute uh... discipline?



For example, this may be a bit Off Topic. But I always write 'SELECT * FROM database WHERE user_id = ' . $_POST['uid']; There. that syntax always work for me. But if i am string specific it doesn't. So I write it with this example: "SELECT * FROM database WHERE name ='" . $_POST['name'] . "'"; There. that one worked for me. Now if I have to explain to a person when do I get to use the double quote and single on queries interchangeably, I actually don't know how to answer back. all I know is that.. it works. heheheh


When I get to try out a working htmlentities() example. I'd be very happy. always read that on PHP.net Manual but the example there isn't too friendly for me.



Link to post
Share on other sites
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...