I have a comment system in PHP, and when a user types a line break in the textarea it shows up as rn (Note: I’m sanitizing this input and using htmlentities(), and I have custom mark-up).
Here’s my current code (including attempt at line break replacement):
$comment_content =stripslashes(str_replace('\r\n', '@//', mysql_real_escape_string($_POST['comment_content'])));
$comment_content = htmlentities($comment_content);
$comment_content = mysql_real_escape_string(str_replace("====", "<span class=".$bold.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("===", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("~~~", "<span class=".$italic.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("~~", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("++++", "<span class=".$big.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("+++", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("___", "<span class=".$underline.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("__", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("@//", "<br>", $comment_content));
$comment_content = comment_sanitize($comment_content);
And this is how I sanitize:
function sanitize($sql, $formUse = true) {
$sql = preg_replace("/(from|script|src|select|insert|delete|where|drop table|show tables|`|,|'|\*|\\\\)/i","",$sql);
$sql = trim($sql);
if(!$formUse || !get_magic_quotes_gpc()) {
$sql = addslashes($sql);
}
return $sql;
}
Any ideas?
You don’t use
htmlentitieson the way in, you use it on the output. You should be escaping to input into your database and then to display newlines on the output consider: