PHP auto <br>

They have: 218 posts

Joined: Apr 2001

Hi there,

I want to auto add tags to user input HTML when necessary...how can I do that?

Also, how should user input HTML be prepared before storing in a database, so data is protected? escaping? The data will need to be retrieved in it's proper HTML form.

Thanks,

TM
http://www.electricmountain.com/

druagord's picture

He has: 335 posts

Joined: May 2003

if you mean transform ligne return to there is nl2br(yourstring) that you can use to escape special char use addslashes(yourstring)

They have: 218 posts

Joined: Apr 2001

druagord, does that mean the client has to enter PHP data?

echo nl2br("foo isn't\n bar");

I'm looking for something that automatically detects new lines and inserts the appropriate number of tags.

Thanks.

druagord's picture

He has: 335 posts

Joined: May 2003

i guess the user will enter the data in form use a textarea and set wrap="hard" so that each line return is transmited to your script

Renegade's picture

He has: 3,022 posts

Joined: Oct 2002

Yes, nl2br() is the function you are looking for.

It converts all of your \n to \n or something of that nature.

They have: 218 posts

Joined: Apr 2001

Does a message board text area like this one detect new lines in the same manner? If I can avoid telling the client: put \n for every new line I'd like to.

Suzanne's picture

She has: 5,507 posts

Joined: Feb 2000

When a form is submitted, it returns some hidden characters for new lines and carriage returns. Often the format is \n\r -- new line, carriage return.

This is what's tested for, it's not something the user enters. The user just presses return or enter and creates a visual new line.

Depending on the application, it's better to create new paragraphs on output, not put the information into the database with the markup attached, btw.

They have: 218 posts

Joined: Apr 2001

"Depending on the application, it's better to create new paragraphs on output, not put the information into the database with the markup attached, btw."

Can you elaborate more on that? In one case, the user has the ability to write their own HTML which is stored in a database. It's dynamically written to an HTML window when retrieved for viewing. I just want to make sure nothing malicious makes its way into the database.

He has: 1,758 posts

Joined: Jul 2002

Wow... cool function. I didnt know that existed. I've been doing eregi_replace("\n","<br>","$string");'

Must remember that one!

Andy

Suzanne's picture

She has: 5,507 posts

Joined: Feb 2000

In order to protect the data as much as possible from the tampering of the and crew, I don't allow HTML into the database normally. Instead, when the data is displayed, I add the markup then.

It's especially useful for paragraphs, but can also work for anchors and other markup.

Dean Allan has something like this going for his CMS project -- http://www.textism.com/tools/textile/ -- but I think it goes into the database as markup, though standardized markup.

On the way in, I can (and sometimes do) change things to the correct HTML entities for things like degrees and quotes, however I also do this:

<?php
    $care
= str_replace(\"\n\r\n\",\"</p>\n\n<p>\",$care);
   
$care = str_replace(\"‘[^>]*’\",\"&#8216;[^>]*&#8217;\",$care);
   
$care = str_replace(\"°\",\"&#176;\",$care);
?>

And then to display it for real:

<?php
echo \"<p>$care</p>\";
?>

Which puts the beginning and end on.

Better ways are welcome, please don't hesitate to cut this apart.

They have: 218 posts

Joined: Apr 2001

Thanks for the info, Suzanne. Can a user do anything malicious by entering HTML/javascript into a database through a form?

Suzanne's picture

She has: 5,507 posts

Joined: Feb 2000

Yes, they definitely can. Stripping out tags and replacing them with your own codes can help, or just removing all tags (like comment scripts do).

In general it's better to keep the data clean from all markup except semantic tags like and , which do not influence anything other than the appearance and meaning of the data.

They have: 218 posts

Joined: Apr 2001

"For instance they could open an tag and not close it, then all the text on the page would link where they wanted."

In this case, they are creating their own site, so I don't have a problem with it. I may consider stripping and replacing tags though, as Suzanne suggested.

Any threat to the database by leaving the tags/javascript in there? That's my main concern.

Thanks,

TM

Suzanne's picture

She has: 5,507 posts

Joined: Feb 2000

The threat is really to the site, not the database -- corrupted information coming out. The data, however, is at risk as well as most databases will "fix" anything that's going to hurt them, and there are some other issues with the database cutting off data if you have the fields set badly.

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.