Jump to content

nl2br() And mysql_real_escape_string() Conflict?


Vermillion

Recommended Posts

I use this function for my markup:

 

function awingsMarkup($string){
    
    /**
     *
     * The function that will convert Awings Markup Tags (AMTs) to HTML.
     * Awings Markup Tags are the "BBCodes" that generate the HTML for awings. This function does just that.
     *
     * @PACKAGE AwingsCLF
     * @AUTHOR Andrés Ibañez
     * @PARAM string - string that will be transformed into HTML.
     * @RETURN string
     *
     */                                          
    
    
    //Conversion: Markup to HTML.
    $string = preg_replace(BOLD,
                           '<strong>$1</strong>',
                           $string);
    
    $string = preg_replace(ITALICS,
                           '<span style="font-style:italic;">$1</span>',
                           $string);
    
    $string = preg_replace(UNDERLINE,
                           '<span style="text-decoration: underline;">$1</span>',
                           $string);
    
    $string = preg_replace(HEADER1,
                           '<h1>$1</h1>',
                           $string);
    
    $string = preg_replace(HEADER2,
                           '<h2>$1</h2>',
                           $string);
    
    $string = preg_replace(HEADER3,
                           '<h3>$1</h3>',
                           $string);
    
    $string = preg_replace(SIZE,
                           '<span style="font-size: $1em;">$2</span>',
                           $string);
    
    $string = preg_replace(COLOR,
                           '<span style="color: $1;">$2</span>',
                           $string);
    
    $string = preg_replace(IMG,
                           '<img src="$1" />',
                           $string);
    
    $string = preg_replace(LINK,
                           '<a href="$1" target="_blank">$2</a>',
                           $string);
    
    $string = preg_replace(QUOTE,
                           '<blockquote class="quote">$1</blockquote>',
                           $string);
    
    $string = preg_replace(QUOTE_ORIGINATOR,
                           '<blockquote><span style="font-size:12px;"><strong>Quote</strong> $1</span><br /><blockquote class="quote">$2</blockquote></blockquote>', $string);
    
    $string = preg_replace(SUP,
                           '<span style="font-size:xx-small; vertical-align:top;">$1</span>',
                           $string);
    
    $string = preg_replace(SUB,
                           '<span style="font-size:xx-small; vertical-align:bottom;">$1</span>',
                           $string);
    
    $string = preg_replace(STRIKE,
                           '<span style="text-decoration:line-through;">$1</span>',
                           $string);
    
    $string = preg_replace(OVERLINE,
                           '<span style="text-decoration:overline;">$1</span>',
                           $string);
    
    $string = preg_replace(SPOILER,
                           '<script type="text/javascript">document.write(\'<div class="codeContainer"><div class="codeBox"><span style="font-weight: bold;">Spoiler:</span> <span style="color: #808080;">$1 -</span> <input type="button" class="codeToggleButton" value="Show" /><div class="codeContent">--------------------<br />$2</div></div></div>\')</script><noscript><div class="spoilerCont_noJS"><div class="spoilerNoJSTitle"><strong>$1</strong><br />Highlight The box below to read the spoiler.<hr /><div class="spoilerNoJSBody">$2</div></div></div></noscript>',
                           $string);
    
    $string = preg_replace(CODE,
                           '<script type="text/javascript">document.write(\'<div class="codeContainer"><div class="codeBox"><span style="font-weight: bold;">Code:</span> <span style="color: #808080;">$1 -</span> <input type="button" class="codeToggleButton" value="Show" /><div class="codeContent">--------------------<br />$2</div></div></div>\')</script><noscript><div class="codeCont_noJS"><div class="codeNoJSTitle"><strong>$1</strong><br />See the code below:<hr /><div class="codeNoJSBody">$2</div></div></div></noscript>',
                           $string);
    
    $string = nl2br($string);
    return $string;
    
}

 

Testing if I could escape the string correctly for MySQL input, I tried this:

 

<?php 
$content = $_POST['content'];

$content = mysql_real_escape_string($content);

echo awingsMarkup($content);?>

 

And with that, if I input:

 

This

is a cool

string

 

I get this:

 

This\r\nis a cool\r\nstring

 

If I remove the mysql_real_escape_string(), it works well. But I really don't think I should remove it if that's what people will use to send the data to the database of the forum.

 

Any help?

mysql_real_escape_string escapes a string for inserting it into  a database.  The content in the database will be equivalent to the content before it was passed through that function.

 

 

nl2br converts new lines into <br> tags.

 

 

 

mysql_real_escape_string should be used when inserting data into a MySQL table.

 

 

nl2br should be used when displaying data to the end user (in other words when the data is extracted from a table).

Lets assume I am inserting data and then retrieving it:

 

<?php 
$content = $_POST['content'];

$content = mysql_real_escape_string($content); //inputting
$content = awingsMarkup($content); //Extracting

echo $content;?>

 

With that, I get:

 

This\r\nis a cool\r\nstring

 

So it's still not working :(.

Okay, I killed my laziness and tested everything with a database. Now is all this really safe? It looks quite lazy and I don't think I trust this at all:

 

To insert the data:

 

<?php $content = mysql_real_escape_string($_POST['content']);

mysql_query("INSERT INTO bans (ban_id, user_id, forum_id, ban_date, ban_expires, ban_note) VALUES ('1', '1', '1', '20000505231111', '20000505231111', '".$content."')"); ?>

 

To retrieve the data:

 

<?php	$string = htmlentities($string);
$string = nl2br($string); ?>

 

 

Yep, it works very well. Just making sure if it is safe to just use that.

 

The only thing I don't like is that it does something like this:

 

This will be<br />
a new line

 

When I want it to do this:

 

This will be<br />a new line

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.