Problem with \r\n, mysql_escape_string
Moderator: General Moderators
-
joachimseitz
- Forum Commoner
- Posts: 25
- Joined: Fri Feb 20, 2004 10:36 am
- Location: Germany
- Contact:
Problem with \r\n, mysql_escape_string
I let a variable go through mysql_escape_string();. I do this because all my post/get/cookie variables go through this. (per function in config, and i dont want to start making exceptions it would end in chaos)
I let people write an email in a textfield.
Problem is it makes linebreaks(i think u call it that way, (\n)) convert into: \r\n
I cant get the email to have new lines...
Thats basicly my problem. I tried alot of stuff like stripslashes.
The mail doesnt support HTML (and thats the way i need it).
I actually found a way which somehow makes new lines again with:
$email_inhalt=ereg_replace('\r', '<br>', $email_inhalt);
$email_inhalt=ereg_replace('\n', '', $email_inhalt);
$email_inhalt=stripslashes($email_inhalt);
but it only works with html which i dont have/want...
So I need a way to really get rid of what mysql_escape_string did to the email content. So that new lines are possible.[/i]
I let people write an email in a textfield.
Problem is it makes linebreaks(i think u call it that way, (\n)) convert into: \r\n
I cant get the email to have new lines...
Thats basicly my problem. I tried alot of stuff like stripslashes.
The mail doesnt support HTML (and thats the way i need it).
I actually found a way which somehow makes new lines again with:
$email_inhalt=ereg_replace('\r', '<br>', $email_inhalt);
$email_inhalt=ereg_replace('\n', '', $email_inhalt);
$email_inhalt=stripslashes($email_inhalt);
but it only works with html which i dont have/want...
So I need a way to really get rid of what mysql_escape_string did to the email content. So that new lines are possible.[/i]
-
joachimseitz
- Forum Commoner
- Posts: 25
- Joined: Fri Feb 20, 2004 10:36 am
- Location: Germany
- Contact:
-
joachimseitz
- Forum Commoner
- Posts: 25
- Joined: Fri Feb 20, 2004 10:36 am
- Location: Germany
- Contact:
im using addslashes now instead of mysql_escape_string
that way it works...
mysql_escape_string is supposed to be secrurer though? i remember that at least (when i decided to take mysql_escape_string i read threads and tutorials)
but i guess ill just use addslashes, wont end the world if they try and "hack" this small script
that way it works...
mysql_escape_string is supposed to be secrurer though? i remember that at least (when i decided to take mysql_escape_string i read threads and tutorials)
but i guess ill just use addslashes, wont end the world if they try and "hack" this small script
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
I actually had a similar problem yesterday where I was passing my whole query to mysql_real_escape_string when my query had extra carriage it would do the same conversion as yours. The solution is to not pass ALL your data, because /r is considered unclean and it is making your whole string safe. Add slashes will only worry about escaping quotes while mysql_real_escape_string is looking to fix other things aswell.
-
joachimseitz
- Forum Commoner
- Posts: 25
- Joined: Fri Feb 20, 2004 10:36 am
- Location: Germany
- Contact:
-
joachimseitz
- Forum Commoner
- Posts: 25
- Joined: Fri Feb 20, 2004 10:36 am
- Location: Germany
- Contact:
-
joachimseitz
- Forum Commoner
- Posts: 25
- Joined: Fri Feb 20, 2004 10:36 am
- Location: Germany
- Contact:
Code: Select all
<FORM method="post">
<textarea name="content"></textarea><INPUT type="submit" name="send">
</FORM>
<?
if ($_POST['content']){
$content=mysql_escape_string($_POST['content']);
echo $content;
mail('j_sendler@arcor.de', 'Feedback', $content, "From: Admin <joachimseitz@hotmail.com>");
}
?>and as i said i dont want to do mysql_escape_string aftersending the email
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
you can clearly see that \n produced by text area is replaced as \r\n by mysql_real_string which the browsers do not understand.
but addslashes works fine; does not replace \n; its still the same.
no need to run regex.
if you still use mysql_real_string, then you have to run a regex to convert \r\n to \n again.
but addslashes works fine; does not replace \n; its still the same.
no need to run regex.
if you still use mysql_real_string, then you have to run a regex to convert \r\n to \n again.
Code: Select all
<form method="post" action="">
<textarea cols="50" rows="5" name="ta" onblur="form.submit()"></textarea>
</form>
</body>
</html>Code: Select all
<?php
echo "value:".$_POST["ta"]."<br />";
echo "escaped value:".mysql_escape_string($_POST["ta"])."<br />";
echo "addslashes escaped value:".addslashes($_POST["ta"])."<br />";
?>- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Magic Quotes are Evil: http://www.webmasterstop.com/tutorials/ ... otes.shtml.
-
joachimseitz
- Forum Commoner
- Posts: 25
- Joined: Fri Feb 20, 2004 10:36 am
- Location: Germany
- Contact:
my magic quotes are actually on (i checked) but my scripts should also works with it off
I couldn't get it too work...
It doesn't want to replace "\r\n" with "\n"... (i tried with) ereg_replace. Somehow it will always be shown wrong in the email.
ok thanx but what would i use?raghavan20 wrote: if you still use mysql_real_string, then you have to run a regex to convert \r\n to \n again.
I couldn't get it too work...
It doesn't want to replace "\r\n" with "\n"... (i tried with) ereg_replace. Somehow it will always be shown wrong in the email.