dpiearcy Posted December 25, 2012 Share Posted December 25, 2012 Ok. This one MIGHT get a bit confusing as to what I'm doing but I'll try to explain the best I can. I have one variable $request. When they submit the form... $request = mysqli_real_escape_string($myConnection, $request); Works as advertised and I get rid of the ' with no /. When I display the var this: $request = nl2br($request); Does as it's supposed to and I have carriage returns looking like they were submitted. Here's where it gets tricky. I am running this through an admin to approve before it hits the board (for obvious spam reasons). When displayed in the email it displays just as it should but I'm putting that var in a form so the admin can hit approve or delete or make changes from their email without going to the web page. Displays fine in the form as it should. After the admin hits approve I then will write it to the database and as I said, it displays fine. Using the exact same var as I just wrote to the database without calling for it again since I'm still on the same page just further down the script I am email blasting that information to people who have asked to be emailed when a new request arrives. Here is how it displays in that email: This doesn\'t work. Now return.\r\n\r\nTwo returns to double space. I am sending that to them with the value=' .$request. ' Since it is displaying correctly everywhere else and it's the exact same information as I just wrote to the database, what do I need to do to get rid of this? Trim? I've tried changing the name of the var and adding another nl2br but I'm not even escaping the slashes as you can see just in the mail I'm sending for the blast even though in the email I just sent the admin it displayed perfectly. Has to be something about the way it's sending it back from the admin approve form. But then it writes correctly to the database so it has me puzzled. Someone want to point me in the right direction of where to start looking? Thinking about doing an echo of just that from the admin email to see what comes out. Probably as good a place as any. I'd post the whole code but trust me, that's a lot of reading on your part and I'd rather just find it if someone can point me toward it that would be fine. Thanks all! Always a help! Quote Link to comment Share on other sites More sharing options...
dpiearcy Posted December 25, 2012 Author Share Posted December 25, 2012 And I AM rethinking the whole approve via email route as well since there's no way for them to be logged on as admin via email. So sort of thinking of scrapping that whole plan anyway. Sometimes convenience isn't worth the risk of hack. Thinking I may just send the request and a link to log on to the admin area where they would then have to give password etc. to approve or delete. So this all may be a mute point anyway but for future reference let's say :-) Quote Link to comment Share on other sites More sharing options...
Christian F. Posted December 25, 2012 Share Posted December 25, 2012 (edited) Quick reply to address the core issue. The main problem is that you're escaping the data for use in SQL-output immediately upon retrieval, instead of validating the input (as you should have done). Output escaping should only be done immediately before sending the data to a third party system, or a string that's only going to be used for the third party system's input. Also, the method used for output escaping depends upon what kind of data you want to escape, and the third party system you're sending it to. String data for MySQL requires mysql_real_escape_string () (or prepared statements), string data for HTML requires htmlspecialchars () (unless you actually want to have HTML content). Numerical data for each requires type casting into the proper numerical format. So, the proper place to use mres() is when you construct the SQL query. Not before. // Retrieve and validate the input if (!$data = validate ($_POST['input'])) { // Add user error about failed validation, and show form anew. } // Construct the SQL query, and escape the user-submitted data. $sql = "INSERT INTO `table` (`field`) VALUES ('%s')"; $sql = sprintf ($sql, $db->real_escape_string ($data)); // Show the data to the screen, and escape to prevent HTML-injections. $template->input = htmlspecialchars ($data); Hopefully that helps to clear up the confusion? Edited December 25, 2012 by Christian F. Quote Link to comment Share on other sites More sharing options...
Barand Posted December 25, 2012 Share Posted December 25, 2012 (edited) This line is your problem $request = nl2br($request); You have now added <br> tags to the string and the \n chars are also retained When you store and redisplay you then get further <br> tags added to those already there Instead of the above code you should echo nl2br($request); Edited December 25, 2012 by Barand Quote Link to comment Share on other sites More sharing options...
dpiearcy Posted December 25, 2012 Author Share Posted December 25, 2012 This line is your problem $request = nl2br($request); You have now added <br> tags to the string and the \n chars are also retained When you store and redisplay you then get further <br> tags added to those already there Instead of the above code you should echo nl2br($request); Thanks! All makes sense to me. I have, in the end, decided to scrap the admin by email feature because of security concerns. But I needed to know this information for future use. As always, thanks Barand. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.