Topic awaiting preservation: HTML Form formatter? (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=28825" title="Pages that link to Topic awaiting preservation: HTML Form formatter? (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: HTML Form formatter? <span class="small">(Page 1 of 1)</span>\$

rukuartic Nervous Wreck (II) Inmate From: Underneath a mountain of blankets. Insane since: Jan 2007	posted 01-12-2007 18:50 I'm gonna end up having something where I type words into a box, they get stored in a MySQL database, and then displayed on a page with a PHP loop. My question, is how would I go about having <br> tabs added automatically, and protection against people dropping in nasty scripts? Right now I'm just using a standard <textarea>. rukuartic@halflght:~/$ whatis life life: nothing appropriate.
WarMage Maniac (V) Mad Scientist From: Rochester, New York, USA Insane since: May 2000	posted 01-12-2007 20:54 You could try $string = nl2br(htmlspecialchars($_POST['text'])) Dan @ Code Town (Edited by WarMage on 01-12-2007 20:55)
rukuartic Nervous Wreck (II) Inmate From: Underneath a mountain of blankets. Insane since: Jan 2007	posted 01-12-2007 21:59 nl2br I'm taking it is \n --> <br> (Genius aren't I?) Would htmlspecialchars take care of things like "<script..." ? rukuartic@halflght:~/$ whatis life life: nothing appropriate.
twItch^ Maniac (V) Mad Scientist From: Denver, CO, USA Insane since: Aug 2000	posted 01-12-2007 22:16 There are a variety of things you can do. nl2br is a good one that turns line breaks into <br /> tags, and htmlspecialchars works well in stripping out malicious code. But being a total geek who wants total control over the semantic display of user-entered content, I prefer to use regular expressions to convert line breaks to <p></p> wrapped in paragraphs. code: function formatForDisplay($str) { $str = htmlspecialchars($str); $str = preg_replace("/(\r\n¦\n¦\r)/", "\n", $str); $str = preg_replace("/\n\n+/", "\n\n", $str); $str = preg_replace('/\n?(.+?)(?:\n\s*\n\|\z)/s', "<p>$1</p>\n", $str); // make paragraphs, including one at the end if (get_magic_quotes_gpc()) return stripslashes($str); else return $str; } Anyway, your mileage may vary. -svd
rukuartic Nervous Wreck (II) Inmate From: Underneath a mountain of blankets. Insane since: Jan 2007	posted 01-13-2007 05:29 Twitch, all my base are belong to you. Now this is the FOURTH time in about a day where I've looked at a regex, and had NO clue what it does. Is magic quotes really a necessity? Or could I get out of it by just giving my database names ridiculous names to avoid them being dropped by a malicious sql injection? *rukuartic googles for tutorials. rukuartic@halflght:~/$ whatis life life: nothing appropriate.
twItch^ Maniac (V) Mad Scientist From: Denver, CO, USA Insane since: Aug 2000	posted 01-13-2007 21:13 I use that particular function in sites all over the place, and sometimes I don't have complete control over whether or not get_magic_quotes_gpc() is turned on or not, so I keep it in just to catch it, not for avoiding sql injections. If the slashes were added on insertion into the database, I want to make sure they're removed when they're displayed. -svd

Topic awaiting preservation: HTML Form formatter? (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=28825" title="Pages that link to Topic awaiting preservation: HTML Form formatter? (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: HTML Form formatter? <span class="small">(Page 1 of 1)</span>\$

rukuartic
Nervous Wreck (II) Inmate

From: Underneath a mountain of blankets.
Insane since: Jan 2007

posted 01-12-2007 18:50

I'm gonna end up having something where I type words into a box, they get stored in a MySQL database, and then displayed on a page with a PHP loop.

My question, is how would I go about having <br> tabs added automatically, and protection against people dropping in nasty scripts? Right now I'm just using a standard <textarea>.

rukuartic@halflght:~/$ whatis life
life: nothing appropriate.

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted 01-12-2007 20:54

You could try

$string = nl2br(htmlspecialchars($_POST['text']))

Dan @ Code Town

(Edited by WarMage on 01-12-2007 20:55)

rukuartic
Nervous Wreck (II) Inmate

From: Underneath a mountain of blankets.
Insane since: Jan 2007

posted 01-12-2007 21:59

nl2br I'm taking it is \n --> <br> (Genius aren't I?)

Would htmlspecialchars take care of things like "<script..." ?

rukuartic@halflght:~/$ whatis life
life: nothing appropriate.

twItch^
Maniac (V) Mad Scientist

From: Denver, CO, USA
Insane since: Aug 2000

posted 01-12-2007 22:16

There are a variety of things you can do. nl2br is a good one that turns line breaks into <br /> tags, and htmlspecialchars works well in stripping out malicious code.

But being a total geek who wants total control over the semantic display of user-entered content, I prefer to use regular expressions to convert line breaks to <p></p> wrapped in paragraphs.

code:

function formatForDisplay($str)
{
	$str = htmlspecialchars($str);
	$str = preg_replace("/(\r\n¦\n¦\r)/", "\n", $str);
	$str = preg_replace("/\n\n+/", "\n\n", $str);
	$str = preg_replace('/\n?(.+?)(?:\n\s*\n|\z)/s', "<p>$1</p>\n", $str); // make paragraphs, including one at the end
	if (get_magic_quotes_gpc()) return stripslashes($str); else return $str;
}

Anyway, your mileage may vary.

-svd

rukuartic
Nervous Wreck (II) Inmate

From: Underneath a mountain of blankets.
Insane since: Jan 2007

posted 01-13-2007 05:29

Twitch, all my base are belong to you. Now this is the FOURTH time in about a day where I've looked at a regex, and had NO clue what it does.

Is magic quotes really a necessity? Or could I get out of it by just giving my database names ridiculous names to avoid them being dropped by a malicious sql injection?

*rukuartic googles for tutorials.

rukuartic@halflght:~/$ whatis life
life: nothing appropriate.

twItch^
Maniac (V) Mad Scientist

From: Denver, CO, USA
Insane since: Aug 2000

posted 01-13-2007 21:13

I use that particular function in sites all over the place, and sometimes I don't have complete control over whether or not get_magic_quotes_gpc() is turned on or not, so I keep it in just to catch it, not for avoiding sql injections. If the slashes were added on insertion into the database, I want to make sure they're removed when they're displayed.

-svd