Help with rn (/r/n) displaying in textarea

[mellis95]

I have a textarea displaying data from a mysql table. However, a user discovered today that if they use a carriage return in the textarea, the data comes out with "rn" at the location in the text where the carriage return goes. I have been searching the forums for a while this afternoon and have found quite a few references to this, but have been unable to fix my problem.

 

I am using mysql_real_escape_string before inserting into database (I am not using anything else at insertion time). Is there something else that I should be using at either the insertion into the database or when I display the data? I have tried various combinations of htmlspecialchars() and htmlentities() and nl2br() with no luck.

 

Here is a sample of the output in my textarea:

 

copy diagonal lines and a square with no more than 1/4" overlap or gap at point of closure(modified).rn2.Patient will draw a person ........

Should look like:

copy diagonal lines and a square with no more than 1/4" overlap or gap at point of closure(modified).

2.Patient will draw a person ........

Thanks for the help.

Matt

 

 

[mrMarcus]

try using nl2br at time of insertion:

 

$textarea = nl2br ($_POST['textarea']);

 

this will convert any \r\n into <br />, which is what you are looking for.

 

hope that helps.

[mellis95]

Ok... That works as long as I don't also use mysql_real_escape_string. Am I sacrificing injection protection by doing this?

 

Thanks for the help.

 

Matt

[mrMarcus]

should not matter whether you use mysql_real_escape_string().  there must be another issue at hand.

 

post your insertion code and any other relevant code (form maybe).

[mellis95]

Here is the relevant insertion code: (with mysql_real_escape_string commented out so nl2br will work)

 

$potential=mysql_real_escape_string($_POST['potential']);
//$stg=mysql_real_escape_string($_POST['stg']);
$stg=nl2br ($_POST['stg']);
$dcd=mysql_real_escape_string($_POST['dcd']);
//-----Start Here----------------------------------------------
$update = date('Y-m-d');

$update1="UPDATE tbl_poc SET
aware_d='$aware_d',
aware_p='$aware_p',
problems='$problems',
goals='$goals',
case_conf='$case_conf',
progress='$progress',
t_plan='$t_plan',
frequency='$frequency',
potential='$potential',
dcd='$dcd',
updated='$update',
stg='$stg'
WHERE pocid like $eid";

//die($update1);
if (!mysql_query($update1))
  {
  die('Error2: ' . mysql_error());
  }

 

Here is the display code:

 

<tr><td colspan="3">
<textarea name="stg" rows="2" cols="120"><?php echo STRIPSLASHES(TRIM($formVars["stg"]));?></textarea></td>
</TR>

 

Thanks.

Matt

[oni-kun]

Why are you stripping slashes for output? So you are aware, It is \r\n, the scape for carriage return and newline. If you strip the slashes, it will NOT parse as a new line and will simply display as 'rn'

<tr><td colspan="3">
<textarea name="stg" rows="2" cols="120"><?php echo trim($formVars["stg"]);?></textarea></td>
</TR>

[mrMarcus]

carriage returns are not preserved when sent via form to mysql db, therefore, nl2br is required.

 

what is happening when you use mysql_real_escape_string and nl2br together?

 

try:

 

$stg = mysql_real_escape_string (nl2br ($_POST['']));

 

you were overwriting the $stg variable the way you were doing it.

[trq]

Your data should be stored in its raw state, only applying nl2br on the data when you need to display it.

[mellis95]

carriage returns are not preserved when sent via form to mysql db, therefore, nl2br is required.

 

what is happening when you use mysql_real_escape_string and nl2br together?

 

try:

 

$stg = mysql_real_escape_string (nl2br ($_POST['']));

you were overwriting the $stg variable the way you were doing it.

when I try that I get the following output in the textarea:

1.rn2.rn3.rn

 

Where it should be:

1.

2.

3.

 

Why are you stripping slashes for output? So you are aware, It is \r\n, the scape for carriage return and newline. If you strip the slashes, it will NOT parse as a new line and will simply display as 'rn'

I was stripping the slashes because I had an earlier problem where it was displaying slashes everywhere I had ' or " .

 

Thanks for the help.

 

Matt

[mellis95]

Your data should be stored in its raw state, only applying nl2br on the data when you need to display it.

 

OK, I tried this:

removed nl2br() from insert, changed display code to:

<textarea name="stg" rows="2" cols="120"><?php echo nl2br(TRIM($formVars["stg"]));?></textarea></td>

 

Now I get the following output in the textarea:

 

1.\r\n2.\r\n3.\r\n

 

Matt

[trq]

That doesn't make much sense, newlines should be invisible. How are they being created?

[mellis95]

That doesn't make much sense, newlines should be invisible. How are they being created?

 

I am not creating them on purpose. The users are trying to create a numbered list by simply pressing the "Enter" key on the keyboard, something that I didn't plan for when I wrote the app. If I knew that the numbered list would be the same every time, I would accomodate it with multiple fields, but that is not an option for this application.

 

Thanks,

Matt

[trq]

Users hitting enter will not create the text \r\n within your data.

[mellis95]

Users hitting enter will not create the text \r\n within your data.

 

If that is true, then I have no idea how it is getting there. Here is what I have going in to the DB:

 

input box:

<tr><td colspan="3">
<textarea name="stg" rows="2" cols="120"><?php echo STRIPSLASHES(TRIM($formVars["stg"]));?></textarea>
</TR>

 

form submission/insert:

$stg = mysql_real_escape_string($_POST['stg']);
$update1="UPDATE tbl_poc SET
aware_d='$aware_d',
aware_p='$aware_p',
problems='$problems',
goals='$goals',
case_conf='$case_conf',
progress='$progress',
t_plan='$t_plan',
frequency='$frequency',
potential='$potential',
dcd='$dcd',
updated='$update',
stg='$stg'
WHERE pocid like $eid";

 

the field in question from "Show Create Table":

`stg` text,

 

The query that pulls the data for display:

$getter="SELECT patient_id, id, eval_id, pocid, poc_date, aware_d, aware_p, case_conf, problems, goals, stg, progress, t_plan, frequency, potential, dcd FROM tbl_poc WHERE pocid like $eid";
if (!mysql_query($getter))
{
  die('Error1: ' . mysql_error());
  }
$p1r = mysql_query($getter);
$formVars=mysql_fetch_array($p1r)

 

Where could it be adding "\r\n"???

 

Thanks for the help.

Matt

[PHP_Idiot]

Thanks for the thread guys, it helped me solve my own issue using nl2br!

[Anti-Moronic]

I had exactly the same issue before. When using mysql_real_escape_string from posted data, then using that to populate a textarea (say if there were an error), all the new lines would be displayed as (\r\n).

 

The problem is, you shouldn't be doing mysql_real_escape string until the data is being inserted into the database. So if you have to post this back to the page, use striptags or clean it some other way. Try to use the $_POST array instead of running it through loads of functions.

 

Then, when the data is to be inserted into the database, you can properly escape it.

[khr2003]

This problem because of two php functions conflicting. If "magic_quotes_gpc" is enables (assuming that you are using php version less than 5.3.0) then you should not use mysql_real_esacpe_string when inserting data into database.

you can use this code to over come this issue:

 

            if(!get_magic_quotes_gpc())
		{
            $text= mysql_real_escape_string($text);
		}

[SMOKEY_TEK]

I'm gonna assume you would have to do the following below:

 

$stg = mysql_real_escape_string(str_replace("rn", "<br>", $_POST['stg']));

If your displaying $stg on a page that's including "BBCode" then you would change "<br>" to

[br]

Hope this helps your problem.