Jump to content

How to avoid echoing the line break symbol in htmlentities..?

bugzy

By bugzy
in PHP Coding Help

 Share

Recommended Posts

bugzy Regular Member

bugzy

Posted
Posted

For some weird reason I needed to use htmlentities on my textarea because I'm having a conflict on retrieving images..

 

If I remove the htmlentities..

 

I get this line

 

<img src="/\"/shop/images/page_images/cheap-bridesmaid-dress-thumb.png\"" alt="\"\"" />

 

instead of this

 

<img src="/shop/images/page_images/cheap-bridesmaid-dress-thumb.png" alt="" />

 

 

When I use htmlentities I have no problem at all except for that, it's echoing out linebreak symbol..

 

like this

\r\n



\r\n



\r\n

 

 

 

Any idea how can I fix this guys?

Link to comment
Share on other sites
DavidAM Member

DavidAM

Posted
Posted 

$page_content = me_mysql_prep(htmlspecialchars($_POST['page_content']));

 

Why are you calling me_mysql_prep to send data to the browser? Either that function is for preparing data to send to the database or it is woefully misnamed. You do not ... let me say it again ... you do not need or want to perform database escapes on page content. If you do, you end up displaying carriage-returns and stuff that you don't want to see.

Link to comment
Share on other sites
bugzy Regular Member

bugzy

Posted
  • Author
Posted 

$page_content = me_mysql_prep(htmlspecialchars($_POST['page_content']));

 

Why are you calling me_mysql_prep to send data to the browser? Either that function is for preparing data to send to the database or it is woefully misnamed. You do not ... let me say it again ... you do not need or want to perform database escapes on page content. If you do, you end up displaying carriage-returns and stuff that you don't want to see.

 

me_mysql_prep is a function on where mysql_real_escape_string is located... I thought every users' input that will be sent to the database needed to be secured?  :confused:

Link to comment
Share on other sites
bugzy Regular Member

bugzy

Posted
  • Author
Posted

It does, but it's not used for displaying back to the user.

 

scoostah so it needs to be separated?

 

Because I also uses $page_content to sent back data if the user failed the validation and if he go pass through the validation then it will also be the one to  be sent on the database..

Link to comment
Share on other sites
bugzy Regular Member

bugzy

Posted
  • Author
Posted

Escape it when it goes to the database. If you are displaying it back to the user, it doesn't need to be escaped.

 

You still need to be running htmlentities() or htmlspecialchars() for displaying though, to prevent XSS attacks.

 

Thanks scootstah and DavidAM. That was indeed the reason why I am getting those line breaks!

 

 

Thanks again :)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.