Page 1 of 1

mysql_real_escape_string

Posted: Tue May 18, 2010 10:21 am
by herman101
Hi All I have a problem with outputting data.

Everything that is posted via $_POST I first secure with the following statement:

$variable = mysql_real_escape_string($variable);

Now I have a form where people can enter text. When something went wrong people do not have to type in al the text again. it is first stored in mysql and then loaded again in the form.

For example it can look like this (enters):
input line one
input line two
input line three

When it is loaded again it is converted into: input line one\r\ninput line two\r\ninput line three. This should not happen. Or it should to make the input save. But when I echo this I get these \r\n. How can I visualize the ouput with enters again?

B.r.
Herman

Re: mysql_real_escape_string

Posted: Tue May 18, 2010 10:25 am
by AbraCadaver
Different problem, probably same solution: viewtopic.php?f=1&t=116557

Re: mysql_real_escape_string

Posted: Tue May 18, 2010 11:22 am
by herman101
I tried this but it is not working. An 'enter' gets a \r\n.

Re: mysql_real_escape_string

Posted: Tue May 18, 2010 11:31 am
by AbraCadaver
herman101 wrote:I tried this but it is not working. An 'enter' gets a \r\n.
The \r\n was in the original text that was entered so it is still there. If you actually want to see it in HTML, try nl2br().

Re: mysql_real_escape_string

Posted: Tue May 18, 2010 1:06 pm
by herman101
I think that must work. I plot the text back in a txt area like this:


<textarea name="verhaal" rows="12" cols="63">
<?php echo nl2br($message,false); ?>
</textarea>

It need to change it in some place. Can you help with that?

Re: mysql_real_escape_string

Posted: Wed May 19, 2010 6:45 am
by herman101
I got something working:) Keep de mysql_real _escape_string. When I want to put out my $variable I pas it through the stripcslashes function. That works!

Re: mysql_real_escape_string

Posted: Wed May 19, 2010 8:17 am
by AbraCadaver
herman101 wrote:I got something working:) Keep de mysql_real _escape_string. When I want to put out my $variable I pas it through the stripcslashes function. That works!
That was my original post. You need to stripslashes() before you insert.

Re: mysql_real_escape_string

Posted: Wed May 19, 2010 11:58 am
by Mordred
Actually, you need to "split" the variable path through the source, depending on when you plan yo use it. For the fork in the road that goes to the database, use mysql_real_escape_string(). For the fork in the road that goes to HTML, escape HTML special chars, nl2br(), etc.