Page 1 of 2
Problem with \r\n, mysql_escape_string
Posted: Mon Sep 05, 2005 11:41 am
by joachimseitz
I let a variable go through mysql_escape_string();. I do this because all my post/get/cookie variables go through this. (per function in config, and i dont want to start making exceptions it would end in chaos)
I let people write an email in a textfield.
Problem is it makes linebreaks(i think u call it that way, (\n)) convert into: \r\n
I cant get the email to have new lines...
Thats basicly my problem. I tried alot of stuff like stripslashes.
The mail doesnt support HTML (and thats the way i need it).
I actually found a way which somehow makes new lines again with:
$email_inhalt=ereg_replace('\r', '<br>', $email_inhalt);
$email_inhalt=ereg_replace('\n', '', $email_inhalt);
$email_inhalt=stripslashes($email_inhalt);
but it only works with html which i dont have/want...
So I need a way to really get rid of what mysql_escape_string did to the email content. So that new lines are possible.[/i]
Posted: Mon Sep 05, 2005 11:49 am
by feyd
that sounds like correct behaviour though..
Posted: Mon Sep 05, 2005 11:53 am
by joachimseitz
but there must be a way to get rid of it again after running the string through mysql_escape_string();
Posted: Mon Sep 05, 2005 12:18 pm
by joachimseitz
im using addslashes now instead of mysql_escape_string
that way it works...
mysql_escape_string is supposed to be secrurer though? i remember that at least (when i decided to take mysql_escape_string i read threads and tutorials)
but i guess ill just use addslashes, wont end the world if they try and "hack" this small script
Posted: Mon Sep 05, 2005 12:22 pm
by John Cartwright
I actually had a similar problem yesterday where I was passing my whole query to mysql_real_escape_string when my query had extra carriage it would do the same conversion as yours. The solution is to not pass ALL your data, because /r is considered unclean and it is making your whole string safe. Add slashes will only worry about escaping quotes while mysql_real_escape_string is looking to fix other things aswell.
Posted: Mon Sep 05, 2005 3:52 pm
by joachimseitz
Yes I guess thats a solution too, but I dont feel like making exceptions in the function if variable==x dont do mysql_escape...
if i start doing that i can through away my nice function it wouldnt be fullfilling its purpose

Posted: Mon Sep 05, 2005 3:54 pm
by feyd
how about you post your code, so we can see where an error may occur?
Posted: Thu Sep 08, 2005 3:46 pm
by joachimseitz
well a texfield with a submit button
then the variable is:
mysql_escape_string ($text);
and that variable i want to send per email with mail();
its only that, i also tested it externally with only that just to be sure, it sends the email so that works
problem is as i said i cant get rid of "\r\n"
Posted: Thu Sep 08, 2005 4:09 pm
by feyd
last time I ask: post. your. code.
Posted: Fri Sep 09, 2005 7:14 am
by joachimseitz
Code: Select all
<FORM method="post">
<textarea name="content"></textarea><INPUT type="submit" name="send">
</FORM>
<?
if ($_POST['content']){
$content=mysql_escape_string($_POST['content']);
echo $content;
mail('j_sendler@arcor.de', 'Feedback', $content, "From: Admin <joachimseitz@hotmail.com>");
}
?>
i left out the html you dont need and the mysql connection too and inserting, which saves the $content afterwards
and as i said i dont want to do mysql_escape_string aftersending the email
Posted: Fri Sep 09, 2005 7:33 am
by raghavan20
I dont think its a good idea to mysql_escape_string a $_POST data since I think magic_quotes should be on as default and this would add extra slashes.
for preserving line breaks in mail, \n works fine with mails as I have a few scripts with \n.
Posted: Fri Sep 09, 2005 7:49 am
by raghavan20
you can clearly see that \n produced by text area is replaced as \r\n by mysql_real_string which the browsers do not understand.
but addslashes works fine; does not replace \n; its still the same.
no need to run regex.
if you still use mysql_real_string, then you have to run a regex to convert \r\n to \n again.
Code: Select all
<form method="post" action="">
<textarea cols="50" rows="5" name="ta" onblur="form.submit()"></textarea>
</form>
</body>
</html>
Code: Select all
<?php
echo "value:".$_POST["ta"]."<br />";
echo "escaped value:".mysql_escape_string($_POST["ta"])."<br />";
echo "addslashes escaped value:".addslashes($_POST["ta"])."<br />";
?>
Posted: Fri Sep 09, 2005 8:42 am
by feyd
Posted: Sat Sep 10, 2005 5:49 am
by joachimseitz
my magic quotes are actually on (i checked) but my scripts should also works with it off
raghavan20 wrote:
if you still use mysql_real_string, then you have to run a regex to convert \r\n to \n again.
ok thanx but what would i use?
I couldn't get it too work...
It doesn't want to replace "\r\n" with "\n"... (i tried with) ereg_replace. Somehow it will always be shown wrong in the email.
Posted: Sat Sep 10, 2005 7:32 am
by feyd
you actually shouldn't have to escape anything for the message component, you know..