ricky spires Posted February 23, 2011 Share Posted February 23, 2011 hello . i have a comments box on my site that doing some strange things. if i type anything in and press enter it adds more characters. http://www.grosvenorassociates.com/contact.php for example if i type 1 2 3 4 5 6 and press submit, i get 1\r\n2\r\n3\r\n4\r\n5\r\n6 if i type a b c d e f i get a\r\nb\r\nc\r\nd\r\ne\r\nf this is the code im using: <textarea name="comments" type="text" class="textarea" value="<?PHP echo $comments; ?>"/><?PHP echo nl2br($comments) ?></textarea> i ideas whats doing this and how to fix it ? thanks rick Quote Link to comment Share on other sites More sharing options...
ansharma Posted February 23, 2011 Share Posted February 23, 2011 $string = " 1\r\n2\r\n3\r\n4\r\n5\r\n6"; str_replace("\r\n","<br />",$string) Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted February 23, 2011 Share Posted February 23, 2011 Or nl2br() http://php.net/manual/en/function.nl2br.php Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted February 23, 2011 Share Posted February 23, 2011 ideas whats doing this Php and/or your code is escaping the data too many times. It would help if you posted your code. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted February 23, 2011 Share Posted February 23, 2011 Textarea tags do not get a trailing . . . /> slash regardless of the doctype; they are explicitly closed with the </textarea> tag. They also do not get a value= attribute, that is derived from the value between <textarea> and </textarea>. You don't echo text into a <textarea> using nl2br unless you actually want the <br> tags to be a visible part of the text. Is magic_quotes_gpc() on in your php.ini? That could cause the symptoms you're seeing. Quote Link to comment Share on other sites More sharing options...
ricky spires Posted February 23, 2011 Author Share Posted February 23, 2011 hello, thankyou all for your replies. i have tried the suggestions but not having much luck. Pikachu2000 Is magic_quotes_gpc() on in your php.ini? That could cause the symptoms you're seeing. these are how my magic quotes settings look like. ; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = On ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ' with '' instead of \'). magic_quotes_sybase = Off this is the text area code now <textarea name="comments" type="text" class="textarea"><?PHP echo htmlentities($comments) ?></textarea> some one suggested i try htmlentities but that didn't work either. at the top of my page i have the following code: $comments = addslashes($_POST['comments']); $comments = mysql_real_escape_string($comments); THIS IS THE WHOLE PAGE <?PHP session_start(); $admin_id = $_SESSION['Admin_id']; $level = $_SESSION['level']; $Aname = $_SESSION['Aname']; include("dbconnect.php"); include("functions/includes.php"); $page = "contact"; ?> <?PHP if (isset($_POST['submit'])){ if ($_POST['Fname']==''){ $star1 = '<span class="redStar">*</span>'; } if ($_POST['Cname']==''){ $star2 = '<span class="redStar">*</span>'; } if ($_POST['Tele']==''){ $star3 = '<span class="redStar">*</span>'; } if ($_POST['email']==''){ $star4 = '<span class="redStar">*</span>'; } if ($_POST['howHeard']=='How you heard about us'){ $star5 = '<span class="redStar">*</span>'; } if ($_POST['event_type']=='Please select an Event Type'){ $star6 = '<span class="redStar">*</span>'; } if ($_POST['comments']==''){ $star7 = '<span class="redStar">*</span>'; } $format = '0'; if ($_POST['Fname']=='' || $_POST['Cname']=='' || $_POST['Tele']=='' || $_POST['email']=='' || $_POST['howHeard']=='How you heard about us' || $_POST['event_type']=='Please select an Event Type' || $_POST['comments']==''){ $error = '<span class="error">All areas marked with * must be completed<br/></span>'; $format='1'; } // end if post if (email_val_lower_e($_POST['email'])) { } else { $error .= '<br/><span class="error"> '. $_POST['email'] .' is not a valid email address.<br/></span>'; $format='1'; $star4 = '<span class="redStar">*</span>'; } if (telephone($_POST['Tele'])) { } else { $error .= '<br/><span class="error"> '. $_POST['Tele'] .' is not a valid Number.<br/></span>'; $format='1'; $star3 = '<span class="redStar">*</span>'; } if($format=='0'){ $Fname = addslashes($_POST['Fname']); $Cname = addslashes($_POST['Cname']); $Tele = addslashes($_POST['Tele']); $email = addslashes($_POST['email']); $howHeard = addslashes($_POST['howHeard']); $event_type = addslashes($_POST['event_type']); $comments = addslashes($_POST['comments']); $Fname = mysql_real_escape_string($Fname); $Cname = mysql_real_escape_string($Cname); $Tele = mysql_real_escape_string($Tele); $email = mysql_real_escape_string($email); $comments = mysql_real_escape_string($comments); // DATE & TIME ADDED $date = date('Y-m-d'); $DT = date("m/d/Y H:i:s"); $exlodeDT = explode(" ", $DT); $date = $exlodeDT[0]; $time = $exlodeDT[1]; $sql = "INSERT INTO contacts (Fname, Cname, Tele, email, howHeard, event_type, date, comments) VALUES ('$Fname', '$Cname','$Tele','$email','$howHeard','$event_type' ,'$date' ,'$comments')"; $query = mysql_query($sql) or die ("80 - insert into contacts" .mysql_error()); if($query){ $M_email = "admin@grosvenorassociates.com"; $M_email1 = "spires1@mail.com"; $title = 'IMPORTANT - New Contact Enquiry'; $sent1 = mail($M_email, ''.$title.'', '<html><body>Hi<br><br> You have a contact request from the Grosvenor Associates website. <br><br> Here are the details. <br><br> Date - '.stripslashes($date).'<br><br> Name - '.stripslashes($Fname).'<br> Company Name - '.stripslashes($Cname).'<br> Telephone - '.stripslashes($Tele).'<br> Email - '.stripslashes($email).'<br> How They Heard About Us - '.stripslashes($howHeard).'<br> Events Interested in - '.stripslashes($event_type).'<br> Comments - '.stripslashes($comments).'<br><br> <br><br><br> </body></html>', "From: Grosvenor Associates Contact\n" . "MIME-Version: 1.0\n" . "Content-type: text/html; charset=iso-8859-1"); if($sent1){ $error = '<br><br><span class="error">Your details have been submitted</span><br><br>'; } // end if sent } // end if query }else{ // end if format $Fname = $_POST['Fname']; $Cname = $_POST['Cname']; $Tele = $_POST['Tele']; $email = $_POST['email']; $howHeard = $_POST['howHeard']; $event_type = $_POST['event_type']; $comments = $_POST['comments']; $Fname = mysql_real_escape_string($Fname); $Cname = mysql_real_escape_string($Cname); $Tele = mysql_real_escape_string($Tele); $email = mysql_real_escape_string($email); $comments = mysql_real_escape_string($comments); } // end else } // end if submit ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Grosvenor Associates</title> <meta name="keywords" content="Grosvenor AssociatesL" /> <meta name="description" content="Grosvenor Associates" /> <link href="style.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="http://code.jquery.com/jquery-1.4.2.min.js"></script> <script language="javascript" type="text/javascript"> <!-- $(function(){ $('#menu li.add_submenu .menu_item').mouseenter(function(){ $('.drop_menu_space').stop().slideDown(300); }); $('#menu li.add_submenu').mouseleave(function(){ $('.drop_menu_space').stop().slideUp(300); }); }); //--> </script> </head> <body> <!-- start of header --> <div id="header_wrapper"> <?PHP mainheader($page) ;?> </div> <!-- end of header wrapper --> <!-- start content --> <!-- start content --> <div id="content_wrapper"> <div id="content"> <div id="content-inner"> <!-- start of inner top Left --> <div id="inner"> <span class="big_gold"><br /> Contact Grosvenor Associates</span> <br /> <hr /> <br /> <br /> <span class='verdana_18_dark'>Please contact us in absolute confidence to discuss your current situation and <br /> any aspects of Business Succession Planning.</span><br /><br /> <div id="quoteBox"> <div class="quoteForm"> <form name="Form" method="post" action="<?PHP echo $_SERVER['PHP_SELF']; ?>" > <input name="submit" type="hidden" value="submit" /> <tr> <td width="143"><span class="input_title"><?PHP if ($star1) { echo $star1; } else { echo'<span class="Star">*</span>'; } ?>Full Name</span> <input name="Fname" type="text" class="input" value="<?PHP echo $Fname; ?>"/> </td> </tr> <br /> <tr> <td width="143"><span class="input_title"><?PHP if ($star2) { echo $star2; } else { echo'<span class="Star">*</span>'; } ?>Company Name</span> <input name="Cname" type="text" class="input" value="<?PHP echo $Cname; ?>"/> </td> </tr> <br /> <tr> <td width="143"><span class="input_title"><?PHP if ($star3) { echo $star3; } else { echo'<span class="Star">*</span>'; } ?>Your Telephone:</span> <input name="Tele" type="text" class="input" value="<?PHP echo $Tele; ?>"/> </td> </tr> <br /> <tr> <td width="143"><span class="input_title"><?PHP if ($star4) { echo $star4; } else { echo'<span class="Star">*</span>'; } ?>Your Email:</span> <input name="email" type="text" class="input" value="<?PHP echo $email; ?>"/> </td> </tr> <br /> <tr> <td width="143"><span class="input_title"><?PHP if ($star5) { echo $star5; } else { echo'<span class="Star">*</span>'; } ?>How you heard about us</span> <select name="howHeard" style="width:200px" class="dropdown"> <?PHP if ($_POST['howHeard']) { echo '<option value="'.$_POST['howHeard'].'">'.$_POST['howHeard'].'</option> <option value="How you heard about us">------</option>'; } else { echo '<option value="How you heard about us">How you heard about us</option>'; } ?> <option name="howHeard" value="internet" />Internet</option> <option name="howHeard" value="word of mouth" />Word of Mouth</option> <option name="howHeard" value="news pages" />News Pages</option> <option name="howHeard" value="you tube" />You Tube</option> <option name="howHeard" value="google ad" />Google Ad</option> </select> </td> </tr> <br /> <tr> <td width="143"><span class="input_title"><?PHP if ($star6) { echo $star6; } else { echo'<span class="Star">*</span>'; } ?>Events Interested in</span> <select name="event_type" style="width:200px" class="dropdown"> <?PHP if ($_POST['event_type']) { echo '<option value="'.$_POST['event_type'].'">'.$_POST['event_type'].'</option> <option value="Please select an Event Type">------</option>'; } else { echo '<option value="Please select an Event Type">Please select an Event Type</option>'; } ?> <?PHP $query1 = "SELECT * FROM eventCats"; $result1 = mysql_query($query1) or die ("query 1 failed"); $count1 = mysql_num_rows($result1); for ($i = 0; $i < $count1; $i++) { $row1 = mysql_fetch_array($result1); $Etype = $row1['Etype']; echo '<option value="'.$Etype.'">'.$Etype.'</option>'; } ?> </select> </td> </tr> <br /> <tr> <td width="143"><span class="input_title"><?PHP if ($star7) { echo $star7; } else { echo'<span class="Star">*</span>'; } ?>Your Comments</span> <textarea name="comments" type="text" class="textarea"><?PHP echo htmlentities($comments) ?></textarea> </td> </tr> <br /> <tr> <td width="143"> <div align="right"> <input type="image" src="images/submitButton.jpg" value="Submit" class="submit" alt="quote_form" width="97" height="33" vspace="20" /> </div> </td> </tr> </form> <?PHP if ($error) { echo $error; }?> </div> <!-- end of quote form --> <table width="100%" border="0" align="left" cellpadding="2"> <tr> <td align="left" valign="middle"><span class="verdana_18_dark">Telephone: </span></td> <td align="left" valign="middle"><span class="med_golden">0207 117 60 60</span> <span class="verdana_12_light">(standard local rates apply)</span> </td> </tr> <tr> <td align="left" valign="middle"><span class="verdana_18_dark">Email:</span></td> <td align="left" valign="middle"><span class="med_golden">info@grosvenorassociates.com</span> </td> </tr> <tr> <td align="left" valign="top"><span class="verdana_18_dark">Address: </span></td> <td align="left" valign="top"><span class="med_golden">Grosvenor Associates 123 Pall Mall, London, SW1Y 5EA</span> </td> </tr> </table> </div> <!-- end of quoteBox --> </div> <!-- end of inner top --> <div id="clear_base"></div> <!-- clear base --> </div><!-- end of inner bottom --> </div> <!-- end of content-inner --> </div> <!-- end of content --> </div> <!-- end of content_wrapper --> <!-- end content --> <?PHP main_footer($admin_id) ;?> </body> </html> Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted February 23, 2011 Share Posted February 23, 2011 Don't use both addslashes and mysql_real_escape_string, you're double escaping everything. In fact, since magic quotes are on, you're triple escaping everything. mysql_real_escape_string should only be used when you are using the values with a mysql function, not in general. Also, since magic quotes are enabled, you should apply stringslashes before using mysql_real_escape_string. Ken Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted February 23, 2011 Share Posted February 23, 2011 ... you should apply stringslashes before using... That should probably be stripslashes Quote Link to comment Share on other sites More sharing options...
ricky spires Posted February 24, 2011 Author Share Posted February 24, 2011 FIXED IT that was it. thanks everyone. i just removed all the mysql_real_escape_string(), and it worked fine. thanks alot rick Quote Link to comment Share on other sites More sharing options...
trq Posted February 24, 2011 Share Posted February 24, 2011 i just removed all the mysql_real_escape_string(), and it worked fine. Cool. Now your queries are more vulnerable. I suggest your read kenrbnsn's reply again. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.