Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community!

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Posted by Andrew McCombs
Andrew McCombs
4,309 Points

I need help with my conversion of the <br>.

Hello everyone,

So what I have is something where someone can type information like a bio, and then being echoed to the screen so it can be displayed. Well I already have this in place on my website.

Say this is my bio

Hello,

My name is Andrew McCombs, and I love to code.
Want to know more then? Well ask!!

The information is being stored in then datebase like this.

$post_body = nl2br(htmlspecialchars($post_body));

The information is echoing to the page correctly the way that it was type like this

Hello,

My name is Andrew McCombs, and I love to code.
Want to know more then? Well ask!!

but this is the issue, if I would want someone to update the information in a textarea where then they can submit that information to update the database. Well when the information is echoed into the textarea it looks like this.

Hello,<br />
<br />
My name is Andrew McCombs, and I love to code.<br />
Want to know more then? Well ask!!

Well I know that I wouldn't want the br's to show up in the textarea that just crazy so I am using this function to convert the br to new lines. (which i think this is the real problem).

function br2nl($input){
    return preg_replace('/<br(\s+)?\/?>/i', "\n", $input);
}

Now when I echo this information to the textarea it looks like this.

Hello,



My name is Andrew McCombs, and I love to code.

Want to know more then? Well ask!!

What can I do to make it look like the orig bio? Thanks!!

Andrew McCombs
Andrew McCombs
4,309 Points

If you need more information just let me know, I tried to make it as detailed as I can.

4 Answers

thomascawthorn
thomascawthorn
22,985 Points

You can save html into your database no worries, it's what CMS like wordpress do ;)

You're filling the box with html special characters. To remove these and just show your text, you're going to need to convert your string back.

There's quite a few ready made functions that should help you out. I'm not sure which one you'll need specifically (it shouldn't take a lot of trial and error!)

html special chars decode

html entity decode

thomascawthorn
thomascawthorn
22,985 Points

EDIT:

this person used the strip tags function

Andrew McCombs
Andrew McCombs
4,309 Points

Okay, if I use the htmlspecialchars_decode()

So if I enter the information like this

$post_body = htmlspecialchars($post_body);

and then echo it out like this

 echo htmlspecialchars_decode($post_body);

Then I get this

dfadafsadsfadfsafds<br />
<br />
adfadfadfsdfs<br />
fad<br />
dfa<br />
dfsa<br />
a<br />
ad<br />
<br />
asdffdasasfddfsa

I need the br to be gone and the information to be the way that it was stored with the line breaks

thomascawthorn
thomascawthorn
22,985 Points

Not sure if you saw my strip_tags edit just before your post. See how that goes

Andrew McCombs
Andrew McCombs
4,309 Points

That worked.

I have been screaming at my computer for the last 2 days on this one. Thank you so much., I even tired to google it and never found that article..

Thanks for the help!!

Andrew McCombs
Andrew McCombs
4,309 Points

Tom,

I was wondering what you would recommend,

$post_body = htmlentities($post_body);
$post_body = htmlspecialchars($post_body);
$post_body = nl2br(htmlspecialchars($post_body));
$post_body = nl2br(htmlentities($post_body));

I just don't want someone to sql inject code.

miguelcastro2
PLUS
miguelcastro2
Courses Plus Student 6,573 Points
miguelcastro2
miguelcastro2
Courses Plus Student 6,573 Points

Why save the new lines as <br> in the database? Preserve the new lines and when you echo the results to your page use the nl2br() function.

Andrew McCombs
Andrew McCombs
4,309 Points

If I put the information in the database like this. 

$post_body = htmlspecialchars($post_body);

Then it echos the correct format, untill I echo the information into a textarea then I have the br tags.

so if I use the nl2br() fuction on the post body I get the same outcome

Hello,



My name is Andrew McCombs, and I love to code.

Want to know more then? Well ask!!
Tobiasz Gala
seal-mask
.a{fill-rule:evenodd;}techdegree
Tobiasz Gala
Full Stack JavaScript Techdegree Student 23,529 Points
Tobiasz Gala
.a{fill-rule:evenodd;}techdegree
Tobiasz Gala
Full Stack JavaScript Techdegree Student 23,529 Points

Since you are using nl2br function to store data in your database you're forcing code to store html tags in it. Don't store those tags in database when you want to edit simple text. You can use it for layout purpose but in your case don't use nl2br() in your $post_body. As friend above said use nl2br to display data but don't use it to display in your text fields. Example:

<?php
$text = "This is simple text\nAnd another one";

echo '<textarea>'.htmlspecialchars($text).'</textarea>'; // code for textarea
echo '<br><br>'; // just line breaks
echo nl2br(htmlspecialchars($text)); // code for website display
?>
thomascawthorn
thomascawthorn
22,985 Points
thomascawthorn
thomascawthorn
22,985 Points

I think you're tackling two different things here: SQL injection and the need to escape output.

htmlspecialchars etc won't really save you from SQL injection.

As long as you're using php's built in PDO and binding any incoming pieces of information to the query (instead of concatenating them directly into the query), you should be pretty well protected from sql injection.

Attack via output is different. This is where someone could enter javascript / php code to interact with your application in evil ways. The myspace worm hack is a really good example of this kind of attack. I think this is what you're trying to protect yourself against here?

As long as you escape all OUTPUT, you'll be fine. You can't really escape all input because there's just a huge number of ways an attacker could alter their code to bypass your filters. You can have a go, but it's probably better to work on the output. There are simple things you could check for and reject such as opening and closing script tags - but then what if someone enters an html element with an onclick attribute or an onload attribute? The list goes on!

You can always test your inputs by entering test scripts like

<script>
alert('I totally got run');
</script>

or 

<?php 
echo "</form><h1>I just closed the form because I'm sneaky</h1>";
?>

to see how your page reacts.

I just searched "php escaping user ouput" and found this which might be quite interesting.

Hope this helps!

thomascawthorn
thomascawthorn
22,985 Points

I must add, that I am by no means a web security expert, I've just read around the subject. The above is intended to get you started but not an exhaustive (and potentially inaccurate) volume of info! Always best to do list of research of your own when it comes to security