1

I have a form where users can enter anything, for instance, suppose a user entered:

Hello World!
This is a new line.

This was written after two new lines.

The data that user submits using the form is inserted in DB:

$data = mysqli_real_escape_string($dbc, $_POST['text']);
$sql = "INSERT INTO data (Data) VALUES ('$data')";
$exec = mysqli_query($dbc, $sql);

Now it gets stored in database but when I fetch the text from the DB to show to the user, it displays:

Hello World! This is a new line. This was written after two new lines.

As you can see, the new lines are ignored. I also want to show line breaks.

I tried:

$data = mysqli_real_escape_string($dbc, str_replace('\n', '<br>', $_POST['text']));

but that doesn't work either. How can I show line breaks when displaying data from mysql?

Improve this question
1
  • How and where is the string printed? Commented Mar 26, 2015 at 20:31

2 Answers 2

Reset to default
2

It is best to put your user input into the database unaltered (except for escaping, of course) in case you wish to query against the user input, or change your display behavior later on. That said, upon building your page and displaying the data, use

echo nl2br(htmlspecialchars($row['text'], ENT_QUOTES));

nl2br() converts all the "\r\n" or "\n" to <br /> so that it displays nicely. htmlspecialchars() converts any special characters the user typed into the field originally to proper html escape sequences.

Your code would work, except your \n should be wrapped in double quotes instead of single quotes. Single-quoted strings ignore escape sequences in PHP. However, as shown, a built-in function already exists for accomplishing this.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

This is a much better answer with explanation.
No pointing out the flaw/error in this explanation @Phil_1984_?
@chris85 What error? Why don't you mention it yourself if you found an error?
@Phil_1984_ i interrupted your first message as that you were the original down voter of this answer, no? The issue is the "Single-quoted strings ignore escape sequences in PHP". They do more than that, they pretty much tell PHP to leave the string alone. I'd direct the user to a few threads on the topic php.net/manual/en/… stackoverflow.com/questions/3446216/…
@chris85 Why would i commend the answer then downvote it? I suggesting you stop trying to attribute personal blame to votes on SO. They are anonymous for a reason.
|
0

I believe you want nl2br. http://php.net/manual/en/function.nl2br.php The str_replace won't work because you'd need the \n in double quotes. As is you are searching for a literal '\n'.

$data = mysqli_real_escape_string($dbc, nl2br($_POST['text']));
Improve this answer

8 Comments

It is generally considered bad practice to escape for html before even storing data. Store data as is and do output escaping properly when you output.
That's the OPs request, and answers the issue.
@Phil_1984_ Could you please elaborate on your down vote here? This answer resolves the user's issue and goes further into detail into why their initial solution didn't work. As well as providing a link to the resource they need for further documentation.
You have mentioned the correct function to solve the problem and your explanation regarding the single quotes is correct. However it's your example of combining mysqli_real_escape_string with nl2br which i have a problem with. These functions do different kinds of escaping.
I see now you have just tried to fix the example the OP gave. Unfortunately that example is trying to escape data for output before it is getting saved in the database. This is generally considered bad practice.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.