Problem with linebreaks when using textarea and MySql

[Zombay]

Hello! I run into this simple problem and couldn't find any solutions from web, so I came here to ask you guys

 

I don't understand what happens to linebreaks when I post textarea and save value to Mysql...

 

Btw, I notided that linebreaks works properly if I don't use mysqli_real_escape_string, but I like to keep script as secure as possible...

 

If I input this in to textarea:

row1

row2

 

row4

 

row6

 

 

I get this in textarea and html-code:

1\r\n2\r\n3\r\n4\r\n5

 

 

This is how I try to do it:

<?

//>>> Connect to Mysql

// Secure $_POST -data
$_POST['mytext'] = mysqli_real_escape_string($db, $_POST['mytext']);


// Insert to Mysql
mysqli_query($db, "INSERT INTO mysql_table (mytext) VALUES ('$_POST[mytext]')");

// Get data from Mysql
$query = mysqli_query($db, "SELECT mytext FROM mysql_table';");
$row = mysqli_fetch_array($query);
mysqli_free_result($query);

?>

<textarea name="mytext"><? print $row['mytext']; ?></textarea>

<?

// nl2br function
$row['mytext'] = nl2br($row['mytext']);

// print text
echo $row['mytext']; 

?>

 

[Pikachu2000]

Is magic_quotes_gpc() on in your php.ini file, perchance?

[Zombay]

I use Xampp with default settings

 

This is what I found in php.ini;

 

; magic_quotes_gpc

;  Default Value: On

;  Development Value: Off

;  Production Value: Off

 

[Pikachu2000]

That doesn't really tell you what its actually doing. What does phpinfo(); show the value to be?

[Zombay]

Ahh.. sorry, man! It's off.

 

magic_quotes_gpc Off Off

magic_quotes_runtime Off Off

magic_quotes_sybase Off Off

[Zombay]

I have now read about hundred different websites and nobody knows solution! 

Almost every website uses textarea (including this one) So why it's so difficult to find this simple script?

[Pikachu2000]

I don't see as where there should be a problem with it, but when I get a few extra minutes I'll insert some sample data and test it.

[Zombay]

I don't see as where there should be a problem with it, but when I get a few extra minutes I'll insert some sample data and test it.

 

Thanks a lot!

[Pikachu2000]

It isn't giving me any problems at all. Is that your actual code?

[Zombay]

Aaaarrggh! Auts, man! You got it! I was wondering there is something weird about this.. There was foreach $_POST values with mysqli_real_escape_string() in the beginning of code, so i used mysqli_real_escape_string() twice.... I'm terrible sorry I wasted your time!

 

Btw, do you think it's secure enought if I just add htmlspecialchars() before printing?

$row['mytext'] = htmlspecialchars($row['mytext'], ENT_QUOTES);

 

 

[Pikachu2000]

If you're echoing it back into the <textarea>, I would just echo it as is. Anywhere else in the markup, yes htmlspecialchars() should be fine.

[Zombay]

Yes, but then if user post's html-code in textarea it will messup the site... But thank you very much, man! This was a big help!

[Pikachu2000]

HTML markup is just rendered as-is in a text area. Give it a try and see.

[Zombay]

hmm.. if I type example <textarea> in textarea and post it, I get two textarea's on the page...

[Pikachu2000]

Ya know, it seems to be browser-dependent. I was just testing it out, and in Safari it just spits the raw markup back into the textarea like I'm used to. In FF, the closing </textarea> tag is truncated, so it seems something I though worked across the board actually doesn't.