mysql_real_escape_string

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
herman101
Forum Newbie
Posts: 5
Joined: Tue May 18, 2010 10:15 am

mysql_real_escape_string

Post by herman101 »

Hi All I have a problem with outputting data.

Everything that is posted via $_POST I first secure with the following statement:

$variable = mysql_real_escape_string($variable);

Now I have a form where people can enter text. When something went wrong people do not have to type in al the text again. it is first stored in mysql and then loaded again in the form.

For example it can look like this (enters):
input line one
input line two
input line three

When it is loaded again it is converted into: input line one\r\ninput line two\r\ninput line three. This should not happen. Or it should to make the input save. But when I echo this I get these \r\n. How can I visualize the ouput with enters again?

B.r.
Herman
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: mysql_real_escape_string

Post by AbraCadaver »

Different problem, probably same solution: viewtopic.php?f=1&t=116557
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
herman101
Forum Newbie
Posts: 5
Joined: Tue May 18, 2010 10:15 am

Re: mysql_real_escape_string

Post by herman101 »

I tried this but it is not working. An 'enter' gets a \r\n.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: mysql_real_escape_string

Post by AbraCadaver »

herman101 wrote:I tried this but it is not working. An 'enter' gets a \r\n.
The \r\n was in the original text that was entered so it is still there. If you actually want to see it in HTML, try nl2br().
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
herman101
Forum Newbie
Posts: 5
Joined: Tue May 18, 2010 10:15 am

Re: mysql_real_escape_string

Post by herman101 »

I think that must work. I plot the text back in a txt area like this:


<textarea name="verhaal" rows="12" cols="63">
<?php echo nl2br($message,false); ?>
</textarea>

It need to change it in some place. Can you help with that?
herman101
Forum Newbie
Posts: 5
Joined: Tue May 18, 2010 10:15 am

Re: mysql_real_escape_string

Post by herman101 »

I got something working:) Keep de mysql_real _escape_string. When I want to put out my $variable I pas it through the stripcslashes function. That works!
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: mysql_real_escape_string

Post by AbraCadaver »

herman101 wrote:I got something working:) Keep de mysql_real _escape_string. When I want to put out my $variable I pas it through the stripcslashes function. That works!
That was my original post. You need to stripslashes() before you insert.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: mysql_real_escape_string

Post by Mordred »

Actually, you need to "split" the variable path through the source, depending on when you plan yo use it. For the fork in the road that goes to the database, use mysql_real_escape_string(). For the fork in the road that goes to HTML, escape HTML special chars, nl2br(), etc.
Post Reply