Problem with \r\n, mysql_escape_string

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

joachimseitz
Forum Commoner
Posts: 25
Joined: Fri Feb 20, 2004 10:36 am
Location: Germany
Contact:

Problem with \r\n, mysql_escape_string

Post by joachimseitz »

I let a variable go through mysql_escape_string();. I do this because all my post/get/cookie variables go through this. (per function in config, and i dont want to start making exceptions it would end in chaos)
I let people write an email in a textfield.
Problem is it makes linebreaks(i think u call it that way, (\n)) convert into: \r\n

I cant get the email to have new lines...
Thats basicly my problem. I tried alot of stuff like stripslashes.
The mail doesnt support HTML (and thats the way i need it).

I actually found a way which somehow makes new lines again with:
$email_inhalt=ereg_replace('\r', '<br>', $email_inhalt);
$email_inhalt=ereg_replace('\n', '', $email_inhalt);
$email_inhalt=stripslashes($email_inhalt);
but it only works with html which i dont have/want...

So I need a way to really get rid of what mysql_escape_string did to the email content. So that new lines are possible.[/i]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

that sounds like correct behaviour though..
joachimseitz
Forum Commoner
Posts: 25
Joined: Fri Feb 20, 2004 10:36 am
Location: Germany
Contact:

Post by joachimseitz »

but there must be a way to get rid of it again after running the string through mysql_escape_string();
joachimseitz
Forum Commoner
Posts: 25
Joined: Fri Feb 20, 2004 10:36 am
Location: Germany
Contact:

Post by joachimseitz »

im using addslashes now instead of mysql_escape_string

that way it works...

mysql_escape_string is supposed to be secrurer though? i remember that at least (when i decided to take mysql_escape_string i read threads and tutorials)
but i guess ill just use addslashes, wont end the world if they try and "hack" this small script
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I actually had a similar problem yesterday where I was passing my whole query to mysql_real_escape_string when my query had extra carriage it would do the same conversion as yours. The solution is to not pass ALL your data, because /r is considered unclean and it is making your whole string safe. Add slashes will only worry about escaping quotes while mysql_real_escape_string is looking to fix other things aswell.
joachimseitz
Forum Commoner
Posts: 25
Joined: Fri Feb 20, 2004 10:36 am
Location: Germany
Contact:

Post by joachimseitz »

Yes I guess thats a solution too, but I dont feel like making exceptions in the function if variable==x dont do mysql_escape...
if i start doing that i can through away my nice function it wouldnt be fullfilling its purpose :(
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

how about you post your code, so we can see where an error may occur?
joachimseitz
Forum Commoner
Posts: 25
Joined: Fri Feb 20, 2004 10:36 am
Location: Germany
Contact:

Post by joachimseitz »

well a texfield with a submit button

then the variable is:
mysql_escape_string ($text);
and that variable i want to send per email with mail();


its only that, i also tested it externally with only that just to be sure, it sends the email so that works
problem is as i said i cant get rid of "\r\n"
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

last time I ask: post. your. code.
joachimseitz
Forum Commoner
Posts: 25
Joined: Fri Feb 20, 2004 10:36 am
Location: Germany
Contact:

Post by joachimseitz »

Code: Select all

<FORM method="post">
<textarea name="content"></textarea><INPUT type="submit" name="send">
</FORM>
<?
if ($_POST['content']){
$content=mysql_escape_string($_POST['content']);
echo $content;
mail('j_sendler@arcor.de', 'Feedback', $content, "From: Admin <joachimseitz@hotmail.com>");
}
?>
i left out the html you dont need and the mysql connection too and inserting, which saves the $content afterwards
and as i said i dont want to do mysql_escape_string aftersending the email
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

I dont think its a good idea to mysql_escape_string a $_POST data since I think magic_quotes should be on as default and this would add extra slashes.

for preserving line breaks in mail, \n works fine with mails as I have a few scripts with \n.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

you can clearly see that \n produced by text area is replaced as \r\n by mysql_real_string which the browsers do not understand.

but addslashes works fine; does not replace \n; its still the same.

no need to run regex.

if you still use mysql_real_string, then you have to run a regex to convert \r\n to \n again.

Code: Select all

<form method="post" action="">
<textarea cols="50" rows="5" name="ta" onblur="form.submit()"></textarea>
</form>
</body>
</html>

Code: Select all

<?php
echo "value:".$_POST["ta"]."<br />";
echo "escaped value:".mysql_escape_string($_POST["ta"])."<br />";
echo "addslashes escaped value:".addslashes($_POST["ta"])."<br />";
?>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

joachimseitz
Forum Commoner
Posts: 25
Joined: Fri Feb 20, 2004 10:36 am
Location: Germany
Contact:

Post by joachimseitz »

my magic quotes are actually on (i checked) but my scripts should also works with it off
raghavan20 wrote: if you still use mysql_real_string, then you have to run a regex to convert \r\n to \n again.
ok thanx but what would i use?
I couldn't get it too work...

It doesn't want to replace "\r\n" with "\n"... (i tried with) ereg_replace. Somehow it will always be shown wrong in the email.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you actually shouldn't have to escape anything for the message component, you know..
Post Reply