newline etc (\r\n\r\) characters when editing text area

[chuckylefrek]

I am creating a form to allow a user to edit some text that is stored in the database.

If I enter some text into the text area field such as

Code:

This is paragraph one.

This is paragraph two.

I am experiencing a problem that when I submit the text, the text then appears in the text area field as follows:

Code:

This is paragraph one.\r\n\r\nThis is paragraph two.

I am able to display the text correctly on the publicly viewable page using

Code:

$additionalInfo = nl2br($additionalInfo);

I basically would like the text in the text area to remain as it was after clicking submit and not lose its formatting to be replaced with the \r\n\r\n characters

[Jake Arkinstall]

It's because you are addslashes-ing the input. If you have Magic-Quotes off (Which you should) and use correct escaping techniques on the data (i.e. mysql_real_escape_string for database input), then the output shouldn't need to be stripped.

But a temporary solution would be to echo the stripslashes of the variable into the textbox.

[chuckylefrek]

Don't think I am using addslashes

Here is my code

Code:

$additionalInfo = mysql_real_escape_string($_POST["additionalInfo"]);

magic_quotes_gpc Off Off
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

[AnthonySterling]

PHP Code:

<?php echo "$additionalInfo"; ?>

or

PHP Code:

<?php
echo str_replace(array('\r', '\n'), array(chr(13), chr(10)), $additionalInfo);
?>

It sounds like the new line and carriage returns are not being interpreted as so.

[chuckylefrek]

Thanks Anthony

The second of your suggestions done the trick!!

[AnthonySterling]

I preferred the 2nd too.

[chuckylefrek]

Guess I now need to use this code on all the editing pages on my site - weird thing is I have never had to do this before but it is a different hosting company this site is on - perhaps that makes a difference!

[Jake Arkinstall]

Yep, in which case it's going to be Magic quotes.

A simpler solution would be to disable it in .htaccess. That way there'd be no reason to edit your pages.

[chuckylefrek]

I thought magic quotes is off

Here are the settings in my php.ini file

magic_quotes_gpc Off Off
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

[crmalibu]

The value returned from mysql_real_escape_string() is meant to be used for a single purpose only, and that's a database query. You cannot use this specially prepared string for anything else, you're trying to output it into html, which is wrong.

PHP Code:

$only_use_me_in_a_query = mysql_real_escape_string($_POST['foo']);

// bad, string is not suitable for html context
echo "<p>$only_use_me_in_a_query </p>";

// better, string is semi suitable(unmodified), although may not always work as intended if string contains html
echo "<p>$_POST[foo]</p>";

// best, string is properly prepared for html context
echo "<p>" . htmlspecialchars($_POST['foo']) ."</p>"; 


[chuckylefrek]

Sorry for delay in replying - I was away for the day yesterday to London.

Anyway thanks crmalibu - that really helps to know about the mysql_real_escape_string - eep I think I may need to make some changes to quite a few sites

Cheers

Paul

[chuckylefrek]

I have now got the formatting working the way I want it to work. It looks like I will need to make amends to several other sites that I have developed too to deal with formatting like this.

Anyway before I do so, I would appreciate any comments on whether the following is the correct way to do this.

Ensure Magic quotes is off

For my edit page use the following code:

Code:

<?php

if ($_POST["submit"]) { 	

		$accommodationId = $_GET["accommodationId"];		
				
		// ------------------------
		// Get all form data values
		// ------------------------	

		$description = $_POST["description"];

                // -------------------------------------------------------
		// Check if any of the required fields have not been filled in
		// -----------------------------------------------------------	


		if(trim($description)=='') { 

			$arrErrors['description']="Please enter the description of your accommodation<br>";				

		} 


		if (count($arrErrors) == 0) {


			$query = "UPDATE accommodation SET description='" .mysql_real_escape_string($description) . "'
			WHERE id ='" .mysql_real_escape_string($accommodationId) . "'";

			mysql_query($query) or die(mysql_error());
			mysql_close();	


		}


}

Then on the same page in the form area where the user can edit the description have the following:

Code:

<textarea name=description wrap=physical rows=10 cols=47 ><?php echo str_replace(array('\r', '\n'), array(chr(13), chr(10)), $description); ?></textarea>

Finally on the page that I actually display the description as part of a listing the following

Code:

$description = $row->description;
$description = nl2br($description);

All advice much appreciated.

Thanks

Paul

[Jake Arkinstall]

Yeah that's fine.

I would recommend, after that, replacing double breaks (i.e. <br /><br />) with </p><p>.

Also, look into PDO. That would allow you to not even worry about user input on the database level.

[chuckylefrek]

Hey thanks Arkinstall - I will make the change you suggested.

And thanks for the heads up on PDO - never heard about that before