Jump to content

nl2br() And mysql_real_escape_string() Conflict?


Vermillion

Recommended Posts

I use this function for my markup:

 

function awingsMarkup($string){
    
    /**
     *
     * The function that will convert Awings Markup Tags (AMTs) to HTML.
     * Awings Markup Tags are the "BBCodes" that generate the HTML for awings. This function does just that.
     *
     * @PACKAGE AwingsCLF
     * @AUTHOR Andrés Ibañez
     * @PARAM string - string that will be transformed into HTML.
     * @RETURN string
     *
     */                                          
    
    
    //Conversion: Markup to HTML.
    $string = preg_replace(BOLD,
                           '<strong>$1</strong>',
                           $string);
    
    $string = preg_replace(ITALICS,
                           '<span style="font-style:italic;">$1</span>',
                           $string);
    
    $string = preg_replace(UNDERLINE,
                           '<span style="text-decoration: underline;">$1</span>',
                           $string);
    
    $string = preg_replace(HEADER1,
                           '<h1>$1</h1>',
                           $string);
    
    $string = preg_replace(HEADER2,
                           '<h2>$1</h2>',
                           $string);
    
    $string = preg_replace(HEADER3,
                           '<h3>$1</h3>',
                           $string);
    
    $string = preg_replace(SIZE,
                           '<span style="font-size: $1em;">$2</span>',
                           $string);
    
    $string = preg_replace(COLOR,
                           '<span style="color: $1;">$2</span>',
                           $string);
    
    $string = preg_replace(IMG,
                           '<img src="$1" />',
                           $string);
    
    $string = preg_replace(LINK,
                           '<a href="$1" target="_blank">$2</a>',
                           $string);
    
    $string = preg_replace(QUOTE,
                           '<blockquote class="quote">$1</blockquote>',
                           $string);
    
    $string = preg_replace(QUOTE_ORIGINATOR,
                           '<blockquote><span style="font-size:12px;"><strong>Quote</strong> $1</span><br /><blockquote class="quote">$2</blockquote></blockquote>', $string);
    
    $string = preg_replace(SUP,
                           '<span style="font-size:xx-small; vertical-align:top;">$1</span>',
                           $string);
    
    $string = preg_replace(SUB,
                           '<span style="font-size:xx-small; vertical-align:bottom;">$1</span>',
                           $string);
    
    $string = preg_replace(STRIKE,
                           '<span style="text-decoration:line-through;">$1</span>',
                           $string);
    
    $string = preg_replace(OVERLINE,
                           '<span style="text-decoration:overline;">$1</span>',
                           $string);
    
    $string = preg_replace(SPOILER,
                           '<script type="text/javascript">document.write(\'<div class="codeContainer"><div class="codeBox"><span style="font-weight: bold;">Spoiler:</span> <span style="color: #808080;">$1 -</span> <input type="button" class="codeToggleButton" value="Show" /><div class="codeContent">--------------------<br />$2</div></div></div>\')</script><noscript><div class="spoilerCont_noJS"><div class="spoilerNoJSTitle"><strong>$1</strong><br />Highlight The box below to read the spoiler.<hr /><div class="spoilerNoJSBody">$2</div></div></div></noscript>',
                           $string);
    
    $string = preg_replace(CODE,
                           '<script type="text/javascript">document.write(\'<div class="codeContainer"><div class="codeBox"><span style="font-weight: bold;">Code:</span> <span style="color: #808080;">$1 -</span> <input type="button" class="codeToggleButton" value="Show" /><div class="codeContent">--------------------<br />$2</div></div></div>\')</script><noscript><div class="codeCont_noJS"><div class="codeNoJSTitle"><strong>$1</strong><br />See the code below:<hr /><div class="codeNoJSBody">$2</div></div></div></noscript>',
                           $string);
    
    $string = nl2br($string);
    return $string;
    
}

 

Testing if I could escape the string correctly for MySQL input, I tried this:

 

<?php 
$content = $_POST['content'];

$content = mysql_real_escape_string($content);

echo awingsMarkup($content);?>

 

And with that, if I input:

 

This

is a cool

string

 

I get this:

 

This\r\nis a cool\r\nstring

 

If I remove the mysql_real_escape_string(), it works well. But I really don't think I should remove it if that's what people will use to send the data to the database of the forum.

 

Any help?

Link to comment
Share on other sites

mysql_real_escape_string escapes a string for inserting it into  a database.  The content in the database will be equivalent to the content before it was passed through that function.

 

 

nl2br converts new lines into <br> tags.

 

 

 

mysql_real_escape_string should be used when inserting data into a MySQL table.

 

 

nl2br should be used when displaying data to the end user (in other words when the data is extracted from a table).

Link to comment
Share on other sites

Lets assume I am inserting data and then retrieving it:

 

<?php 
$content = $_POST['content'];

$content = mysql_real_escape_string($content); //inputting
$content = awingsMarkup($content); //Extracting

echo $content;?>

 

With that, I get:

 

This\r\nis a cool\r\nstring

 

So it's still not working :(.

Link to comment
Share on other sites

Okay, I killed my laziness and tested everything with a database. Now is all this really safe? It looks quite lazy and I don't think I trust this at all:

 

To insert the data:

 

<?php $content = mysql_real_escape_string($_POST['content']);

mysql_query("INSERT INTO bans (ban_id, user_id, forum_id, ban_date, ban_expires, ban_note) VALUES ('1', '1', '1', '20000505231111', '20000505231111', '".$content."')"); ?>

 

To retrieve the data:

 

<?php	$string = htmlentities($string);
$string = nl2br($string); ?>

 

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.