[thelist] PHP_SELF / Contact Form
Bill Moseley
moseley at hank.org
Wed Aug 4 15:27:45 CDT 2010
On Wed, Aug 4, 2010 at 1:11 PM, DAVOUD TOHIDY <dtohidy at hotmail.com> wrote:
> I found what is causing the problem:
>
> I have:
>
> $message =
> mysql_real_escape_string(htmlentities(strip_tags(stripslashes(trim($_POST['message'])))));
>
> mysql_real_escape_string is causing the /n/r to show up inside the text
> area where the user message
> is retained when the user submits the form. Removing
> mysql_real_escape_string along with adding:
>
> <?php $message = str_replace(array("\r\n", "\n", "\r"),"<br />",$message);
> echo($message)?>
>
> between the <textarea></textarea> will replace the \r and \n with <br />
>
> However:
>
> 1-I do not want to remove the mysql_real_escape_string
> 2-I do not want to have the <br /> either
>
> What I would like to have is just a new line exactly as the user had typed.
>
> removing the <br /> from the above will remove the space between paragraphs
> in the message.
>
> Any ideas? Anyone?
>
Yes, stop digging yourself into a hole. ;)
If you followed the advice weeks earlier then you would just:
1) never escape the data on input.
2) use the correct escape method when using that data.
(Meaning using bind parameters when writing to the database, and html
escaping when rendering to, eh, html)
And 3) I'd probably just use <pre> (or maybe white-space:pre) to render the
text as the user entered it if that's important. Or render it again in the
text area, which is what you probably want in this case.
Simple approaches are best.
I'd also search for a PHP template engine to avoid mixing markup and php
code. (But, maybe with PHP markup does belong on the code??)
--
Bill Moseley
moseley at hank.org
More information about the thelist
mailing list