displaying data that has been inserted with mysql_real_escape_string

The_Wise_One

i tried a search on this already. found tons of threads on preventing injection attacks...but couldnt find anything related to my specific question.

i use a function i grabbed out of a book to escape data submitted through an online form to try and prevent injection attacks. this is the code:

function escape_data($data)
{
  if (ini_get('magic_quotes_gpc'))
  {
    $data = stripslashes($data);
  }
  if (function_exists('mysql_real_escape_string'))
  {
    $data = mysql_real_escape_string(trim($data));
  }
  else
  {
    $data = mysql_escape_string(trim($data));
  }
  return $data;
}

now im trying to use this function on a textarea form field that when its submitted, it gets inserted into a database. when i test this...it all seems to be working as it should except when i display the submitted info back into the textarea...it doesnt display as i originally inputted it. here is an example:

testing this

testing this

testing this

when i hit submit...it is inserted into the database like this:

testing this\r\ntesting this\r\ntesting this\r\n

and it displays like it is inserted in the above code block. i want it to display like it was originally typed into the textarea befoer submitting it. any help with this would be greatly appreciated.

toplay

Use:
http://us2.php.net/manual/en/function.nl2br.php

The_Wise_One

toplay wrote:
Use:
http://us2.php.net/manual/en/function.nl2br.php

thanks for the reply.

im sorry but is this meant to replace the escape_data function, to be used inside of the escape_data function (ex: escape_data(nl2br($var)) or is it to be used in the textarea between the open and close tags but surrounding the code meant to display the data?

placing it inside of the escape data function returns this in the text area:

testing this<br />\r\n<br />\r\ntestinh this

while placing it around the variable in the text area displays this:

testing this\r\n\r\ntesting this