HTML Form Entry showing "return"

heinz1218

I'm building a simple HTML form that dumps into a MySQL database. When I retrieve the info, it doesn't output "returns." I tried using addslashes() to no avail. Is there a specific function I should use in PHP or is it a MySQL thing? I feel like I've solved this problem before but can't find it in any of my previous code...

Thanks!

NogDog

Remember that in HTML, newlines are treated as word-spaces (except in special circumstances such as within a <pre> tag). You may want to use the [man]nl2br/man function when outputting the text to the browser:

echo "<p>" . nl2br($row['text']) . "</p>\n";

heinz1218

Maybe I wasn't clear. I have a form like this:

<form><textarea name="description" id="description"></textarea></form>

and php code:

$description=$_POST['description'];

If users enter data into the textarea and hit return to start a new paragraph, the DB doesn't know this. "description" in mysql is set to "text." Isn't there some way to escape it to:

Make it more secure so people can't do database attacks or something.
When i echo the text, to format it like it was typed into the text box?

It's not possible for me to add in <p> manually...

halojoy

2. When i echo the text, to format it like it was typed into the text box?

[man]nl2br/man
... as mentioned in very good advice above, will convert any \n to <br>

You should avoid using addslashes and stripslashes in your scripts.
why?
Because doing stripslashes only indicates,
that you have too many added slashes before storing data.
If you avoid add slashes, if not needed, than there is no need to strip them extra slashes later.

It is actually a fact, regarding MySQL (i know from own experience and from expert articles)
that we should never need to do any stripslashes when pulling data from db.

Study the good advices at PHP Manual:

http://docs.php.net/get_magic_quotes_gpc
http://docs.php.net/manual/en/security.magicquotes.php

http://docs.php.net/manual/en/security.magicquotes.whynot.php

Why not to use Magic Quotes

* Performance Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.

* Inconvenience Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of \' within the email. To fix, this may require excessive use of stripslashes().

Go for Real Escape of Strings, instead of some kinda magic escaping of database entries:
http://docs.php.net/mysql_real_escape_string

        // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.

    if(get_magic_quotes_gpc()) {
        $product_name        = stripslashes($_POST['product_name']);
        $product_description = stripslashes($_POST['product_description']);
    } else {
        $product_name        = $_POST['product_name'];
        $product_description = $_POST['product_description'];
    }

    // Make a safe query
    $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)",
                mysql_real_escape_string($product_name, $link),
                mysql_real_escape_string($product_description, $link),
                $_POST['user_id']);

    mysql_query($query, $link);

NogDog

Do not concern yourself with storing data in the database with regards to how it will look when retrieved and then output to the browser. Rather, store the data as it is, so that it is non-output-method-specific. (You do, however, need to be sure to escape any special SQL-specific characters when inserting it into the DB, such as via the mysql_real_escape_string() function or similar functionalities for other DBMS's.)

When retrieving data from the DB for output, then concern yourself with the specific target output mechanism. In this case, if the target is to output it as HTML with newlines in the text retained as actual line breaks, then filter your text through the nl2br() function as I suggested, above. Or you can be even more creative in order to generate more semantically meaningful HTML:

echo "<p>" . preg_replace('/[\r\n]+/', "</p>\n<p>", trim($row['text'])) > "</p>\n";