Vermillion Posted March 16, 2009 Share Posted March 16, 2009 I use this function for my markup: function awingsMarkup($string){ /** * * The function that will convert Awings Markup Tags (AMTs) to HTML. * Awings Markup Tags are the "BBCodes" that generate the HTML for awings. This function does just that. * * @PACKAGE AwingsCLF * @AUTHOR Andrés Ibañez * @PARAM string - string that will be transformed into HTML. * @RETURN string * */ //Conversion: Markup to HTML. $string = preg_replace(BOLD, '<strong>$1</strong>', $string); $string = preg_replace(ITALICS, '<span style="font-style:italic;">$1</span>', $string); $string = preg_replace(UNDERLINE, '<span style="text-decoration: underline;">$1</span>', $string); $string = preg_replace(HEADER1, '<h1>$1</h1>', $string); $string = preg_replace(HEADER2, '<h2>$1</h2>', $string); $string = preg_replace(HEADER3, '<h3>$1</h3>', $string); $string = preg_replace(SIZE, '<span style="font-size: $1em;">$2</span>', $string); $string = preg_replace(COLOR, '<span style="color: $1;">$2</span>', $string); $string = preg_replace(IMG, '<img src="$1" />', $string); $string = preg_replace(LINK, '<a href="$1" target="_blank">$2</a>', $string); $string = preg_replace(QUOTE, '<blockquote class="quote">$1</blockquote>', $string); $string = preg_replace(QUOTE_ORIGINATOR, '<blockquote><span style="font-size:12px;"><strong>Quote</strong> $1</span><br /><blockquote class="quote">$2</blockquote></blockquote>', $string); $string = preg_replace(SUP, '<span style="font-size:xx-small; vertical-align:top;">$1</span>', $string); $string = preg_replace(SUB, '<span style="font-size:xx-small; vertical-align:bottom;">$1</span>', $string); $string = preg_replace(STRIKE, '<span style="text-decoration:line-through;">$1</span>', $string); $string = preg_replace(OVERLINE, '<span style="text-decoration:overline;">$1</span>', $string); $string = preg_replace(SPOILER, '<script type="text/javascript">document.write(\'<div class="codeContainer"><div class="codeBox"><span style="font-weight: bold;">Spoiler:</span> <span style="color: #808080;">$1 -</span> <input type="button" class="codeToggleButton" value="Show" /><div class="codeContent">--------------------<br />$2</div></div></div>\')</script><noscript><div class="spoilerCont_noJS"><div class="spoilerNoJSTitle"><strong>$1</strong><br />Highlight The box below to read the spoiler.<hr /><div class="spoilerNoJSBody">$2</div></div></div></noscript>', $string); $string = preg_replace(CODE, '<script type="text/javascript">document.write(\'<div class="codeContainer"><div class="codeBox"><span style="font-weight: bold;">Code:</span> <span style="color: #808080;">$1 -</span> <input type="button" class="codeToggleButton" value="Show" /><div class="codeContent">--------------------<br />$2</div></div></div>\')</script><noscript><div class="codeCont_noJS"><div class="codeNoJSTitle"><strong>$1</strong><br />See the code below:<hr /><div class="codeNoJSBody">$2</div></div></div></noscript>', $string); $string = nl2br($string); return $string; } Testing if I could escape the string correctly for MySQL input, I tried this: <?php $content = $_POST['content']; $content = mysql_real_escape_string($content); echo awingsMarkup($content);?> And with that, if I input: This is a cool string I get this: This\r\nis a cool\r\nstring If I remove the mysql_real_escape_string(), it works well. But I really don't think I should remove it if that's what people will use to send the data to the database of the forum. Any help? Quote Link to comment Share on other sites More sharing options...
corbin Posted March 16, 2009 Share Posted March 16, 2009 mysql_real_escape_string escapes a string for inserting it into a database. The content in the database will be equivalent to the content before it was passed through that function. nl2br converts new lines into <br> tags. mysql_real_escape_string should be used when inserting data into a MySQL table. nl2br should be used when displaying data to the end user (in other words when the data is extracted from a table). Quote Link to comment Share on other sites More sharing options...
Vermillion Posted March 16, 2009 Author Share Posted March 16, 2009 Lets assume I am inserting data and then retrieving it: <?php $content = $_POST['content']; $content = mysql_real_escape_string($content); //inputting $content = awingsMarkup($content); //Extracting echo $content;?> With that, I get: This\r\nis a cool\r\nstring So it's still not working . Quote Link to comment Share on other sites More sharing options...
Vermillion Posted March 19, 2009 Author Share Posted March 19, 2009 Ah okay, this is starting to make me sick. Can't find a way to fix it, and it is hurtful ):. Anyone knows about a PHP script that scripts characters just fine, and that makes sure the content is safe to use? Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 19, 2009 Share Posted March 19, 2009 You did not save the string to database, nor did you extract it from it. That's why escape characters are displayed in it. Quote Link to comment Share on other sites More sharing options...
premiso Posted March 19, 2009 Share Posted March 19, 2009 Magic Quotes are most likely on. You should disable them in your php.ini if they are. If they are it will double escape your data, which is not kosher. Quote Link to comment Share on other sites More sharing options...
Vermillion Posted March 21, 2009 Author Share Posted March 21, 2009 Okay, I killed my laziness and tested everything with a database. Now is all this really safe? It looks quite lazy and I don't think I trust this at all: To insert the data: <?php $content = mysql_real_escape_string($_POST['content']); mysql_query("INSERT INTO bans (ban_id, user_id, forum_id, ban_date, ban_expires, ban_note) VALUES ('1', '1', '1', '20000505231111', '20000505231111', '".$content."')"); ?> To retrieve the data: <?php $string = htmlentities($string); $string = nl2br($string); ?> Quote Link to comment Share on other sites More sharing options...
rhodesa Posted March 21, 2009 Share Posted March 21, 2009 yup, that looks good. does it work as you would expect it to? Quote Link to comment Share on other sites More sharing options...
Vermillion Posted March 21, 2009 Author Share Posted March 21, 2009 Yep, it works very well. Just making sure if it is safe to just use that. The only thing I don't like is that it does something like this: This will be<br /> a new line When I want it to do this: This will be<br />a new line Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 21, 2009 Share Posted March 21, 2009 That's how nl2br works. You can make your own function to replace newline characters to <br /> tag. ( str_replace ) Quote Link to comment Share on other sites More sharing options...
rhodesa Posted March 21, 2009 Share Posted March 21, 2009 yup...with str_replace() it's a simple fix: <?php $text = "This is some\ntext here"; print str_replace("\n",'',nl2br($text)); ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.