MySQL slashes and nl2br
I am trying to store HTML posted from a textarea into a database. I have a textarea inside a form which I have called "message". The PHP code that processes it is:
if(isset($_POST['submit'])){
if(isset($_POST['title']) && isset($_POST['message'])){
$title = $_POST['title'];
$message = $_POST['message'];
if(get_magic_quotes_gpc()){
$title = stripslashes($title);
$message = stripslashes($message);
}
$title = mysql_real_escape_string($title);
$message = mysql_real_escape_string($message);
$q = "INSERT INTO table (title,datetime,text) VALUES ('{$title}',NOW(),'{$message}')";
$rows_affected = $db->exec($q);
if($rows_affected > 0){
echo "<p>Done.</p>";
} else {
echo "<p>Failed. </p>";
}
}
}
The problem I am having is then retrieving this and converting newlines to <br />
. Here is what I am doing:
$res = array();
$order = array("\r\n","\n","\r");
$replace = '<br />';
$q = "SELECT title,datetime,text FROM table";
$res = $db->get_all($q);
if($res){
foreach($r开发者_C百科es as $result){
$result['title'] = stripslashes($result['title']);
$result['text'] = str_replace($order, $replace, stripslashes($result['text']));
}
}
echo "<pre>";
print_r($res);
echo "</pre>";
I just can't get rid of those pesky \r\n
's in the message. I have tried changing $order
to
$order = array("\\r\\n","\\n","\\r");
// and even
$order = array("\\\r\\\n","\\\n","\\\r");
but nothing seems to work. Any ideas?
if ($res = $db->get_all('SELECT title,datetime,text FROM table')){
foreach ($res as &$result){
$result['text'] = nl2br($result['text']);
}
}
echo "<pre>";
print_r($res);
echo "</pre>";
I did three things:
- Remove the
stripslashes
. They mustn't be there. The slashesmysql_real_escape_string
adds are removed when the query is executed. - I used the function
nl2br
for the new lines. Why write something yourself if it's already built in? - I added a
&
in front of$result
in theforeach
loop. If I didn't do this only the shallow copies were modified, not the variables themselves. Thus there wouldn't be any change at all.
For the retrieving of the data you don't need to screw around with str_replace/stripslashes.
$res = array();
$q = "SELECT title,datetime,text FROM table";
$res = $db->get_all($q);
if($res){
foreach($res as &$result){
$result['title'] = $result['title']; // Don't see the reason for stripslashes here
$result['text'] = nl2br($result['text']);
}
}
echo "<pre>";
print_r($res);
echo "</pre>";
Use nl2br to convert your \n to proper HTML line breaks. (Note: If you want to show the text inside of a textarea again, e.g. for editing, you need to output the "text" as-is). The only thing that you would want to do is use strip_tags
to prevent HTML from being inserted into your output.
more usual way of what nikic did
foreach ($data as $key => $row){
$data[$key]['text'] = nl2br($row['text']);
}
you did overwrite your temporary $result variable, while you have to write modified variable back into array.
and give our variables sensible names.
Also, consider to use htmlspecialchars() if it's user supplied text.
精彩评论