PHP auto <br>
Hi there,
I want to auto add tags to user input HTML when necessary...how can I do that?
Also, how should user input HTML be prepared before storing in a database, so data is protected? escaping? The data will need to be retrieved in it's proper HTML form.
Thanks,
druagord posted this at 23:44 — 10th December 2003.
He has: 335 posts
Joined: May 2003
if you mean transform ligne return to there is nl2br(yourstring) that you can use to escape special char use addslashes(yourstring)
TonyMontana posted this at 00:15 — 11th December 2003.
They have: 218 posts
Joined: Apr 2001
druagord, does that mean the client has to enter PHP data?
echo nl2br("foo isn't\n bar");
I'm looking for something that automatically detects new lines and inserts the appropriate number of tags.
Thanks.
druagord posted this at 00:20 — 11th December 2003.
He has: 335 posts
Joined: May 2003
i guess the user will enter the data in form use a textarea and set wrap="hard" so that each line return is transmited to your script
Renegade posted this at 00:21 — 11th December 2003.
He has: 3,022 posts
Joined: Oct 2002
Yes, nl2br() is the function you are looking for.
It converts all of your \n to \n or something of that nature.
TonyMontana posted this at 00:28 — 11th December 2003.
They have: 218 posts
Joined: Apr 2001
Does a message board text area like this one detect new lines in the same manner? If I can avoid telling the client: put \n for every new line I'd like to.
Suzanne posted this at 03:38 — 11th December 2003.
She has: 5,507 posts
Joined: Feb 2000
When a form is submitted, it returns some hidden characters for new lines and carriage returns. Often the format is \n\r -- new line, carriage return.
This is what's tested for, it's not something the user enters. The user just presses return or enter and creates a visual new line.
Depending on the application, it's better to create new paragraphs on output, not put the information into the database with the markup attached, btw.
TonyMontana posted this at 05:28 — 11th December 2003.
They have: 218 posts
Joined: Apr 2001
"Depending on the application, it's better to create new paragraphs on output, not put the information into the database with the markup attached, btw."
Can you elaborate more on that? In one case, the user has the ability to write their own HTML which is stored in a database. It's dynamically written to an HTML window when retrieved for viewing. I just want to make sure nothing malicious makes its way into the database.
andy206uk posted this at 12:24 — 11th December 2003.
He has: 1,758 posts
Joined: Jul 2002
Wow... cool function. I didnt know that existed. I've been doing
eregi_replace("\n","<br>","$string");
'Must remember that one!
Andy
Suzanne posted this at 16:20 — 11th December 2003.
She has: 5,507 posts
Joined: Feb 2000
In order to protect the data as much as possible from the tampering of the and crew, I don't allow HTML into the database normally. Instead, when the data is displayed, I add the markup then.
It's especially useful for paragraphs, but can also work for anchors and other markup.
Dean Allan has something like this going for his CMS project -- http://www.textism.com/tools/textile/ -- but I think it goes into the database as markup, though standardized markup.
On the way in, I can (and sometimes do) change things to the correct HTML entities for things like degrees and quotes, however I also do this:
<?php
$care = str_replace(\"\n\r\n\",\"</p>\n\n<p>\",$care);
$care = str_replace(\"‘[^>]*’\",\"‘[^>]*’\",$care);
$care = str_replace(\"°\",\"°\",$care);
?>
And then to display it for real:
<?php
echo \"<p>$care</p>\";
?>
Which puts the beginning and end on.
Better ways are welcome, please don't hesitate to cut this apart.
TonyMontana posted this at 06:28 — 12th December 2003.
They have: 218 posts
Joined: Apr 2001
Thanks for the info, Suzanne. Can a user do anything malicious by entering HTML/javascript into a database through a form?
andy206uk posted this at 09:28 — 12th December 2003.
He has: 1,758 posts
Joined: Jul 2002
I believe they can. For instance they could open an tag and not close it, then all the text on the page would link where they wanted. Not good for your site. Also, javascript can be used to manipulate DOM so they could pop up windows, redirect users elsewhere and all sorts.
Its best to remove the html where ever possible.
Andy
Suzanne posted this at 16:11 — 12th December 2003.
She has: 5,507 posts
Joined: Feb 2000
Yes, they definitely can. Stripping out tags and replacing them with your own codes can help, or just removing all tags (like comment scripts do).
In general it's better to keep the data clean from all markup except semantic tags like and , which do not influence anything other than the appearance and meaning of the data.
TonyMontana posted this at 18:44 — 12th December 2003.
They have: 218 posts
Joined: Apr 2001
"For instance they could open an tag and not close it, then all the text on the page would link where they wanted."
In this case, they are creating their own site, so I don't have a problem with it. I may consider stripping and replacing tags though, as Suzanne suggested.
Any threat to the database by leaving the tags/javascript in there? That's my main concern.
Thanks,
TM
Suzanne posted this at 19:34 — 12th December 2003.
She has: 5,507 posts
Joined: Feb 2000
The threat is really to the site, not the database -- corrupted information coming out. The data, however, is at risk as well as most databases will "fix" anything that's going to hurt them, and there are some other issues with the database cutting off data if you have the fields set badly.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.