mysqli_real_escape_string adds rn

@TopkatDec 29.2008

This is fine for HTML as I can use nl2br() or str_replace() to display the new lines/carriage returns. The problem starts when a user logs in to edit data in a textarea, the formatting is lost and I get rn for every new line/carriage return used. For example, if the text is inserted as:

~~[QUOTE]~~

Hi.

How are you today?

How’s life?

[/QUOTE]

When the user goes to edit the text in a <textarea>, it comes out as:

~~[QUOTE]~~

Hi.rnrnHow are you today?rnrnHow’s life?

[/QUOTE]

Should I just not use “mysqli_real_escape_string” as I’m going to use prepared statements throughout my script or is there a way to solve this problem? I’ve searched google quite a bit and I haven’t found any solution to the problem. I would have thought it would have been quite a common problem for PHP newbies.

to post a comment

PHP

6 Comments(s) _↴

@NogDogDec 30.2008 — #All I can figure is that either you are escaping the string twice somehow, or else you are directly using the escaped string in some manner other than a MySQL query. For instance, the following works fine for me:

[code=php]
 <?php
 
 $text = "This is a test.
 
 It is only a test.
 
 The end.";
 
 $db = new mysqli('localhost', 'root', '######', 'test');
 $text = mysql_real_escape_string($text);
 $db->query("INSERT INTO example_table (sample_field) VALUES ('$text')");
 $id = mysqli_insert_id($db);
 $result = $db->query("SELECT * FROM example_table WHERE ID = $id");
 $row = $result->fetch_assoc();
 $text = $row['sample_field'];
 echo "<pre>".$text."</pre>";
 [/code]

It outputs:

<i>
 </i>This is a test.
 
 It is only a test.
 
 The end.

But the following, using the escaped string directly rather than in a query, will show the escaped characters instead:

[code=php]
 <?php
 
 $text = "This is a test.
 
 It is only a test.
 
 The end.";
 
 $db = new mysqli('localhost', 'root', '######', 'test');
 $text = mysql_real_escape_string($text);
 echo "<pre>".$text."</pre>";
 [/code]

This output:

<i>
 </i>This is a test.nnIt is only a test.nnThe end.

@chazzyDec 30.2008 — #can you clarify a few things:

- When you look at the data in the db, is it correct?

- when you retrieve the data from the db to show it in your textarea, how do you pull it from the result set (sample code would help greatly).

- Is this textarea being converted into some WYSIWYG editor (ie fck editor or moxicode)?

@TopkatauthorDec 30.2008 — #Hey thanks for the replies guys. Nice investigation NogDog! :-)

I thought maybe having the form as a sticky like below was escaping the string twice, but I removed the PHP code and it didn't help. I also tried with and without Wrap in the text field.

[code=php]<td>
 <textarea name="description" cols="50" rows="8"><?php if (isset($_POST['description'])) echo $_POST['description']; ?>
 </textarea>
 </td>[/code]

Once a form is submitted, I use this statement to read the data into a variable.

[code=php]$descrip = mysqli_real_escape_string($dbc, trim($_POST['description']));[/code]

After that, I use a prepared statement to bind it to the database. If I use DOS to view the record straight after it has been inserted or updated in the database, it shows rn has been added to the record. Removing mysqli_real_escape_string solves this.

I tested to see if it happens using a normal query statement (not prepared), and it's the same story. Same rn being added to it. So I narrowed it down to mysqli_real_escape_string.

Could it be my setup? I'm running PHP 5.2.6 and mysql5. It took me a while to get this all working, so I don't feel like installing PHP 5.2.8 right now, but I will if you think it's my setup causing the problem.

This is the code I'm using for inserting...

[code=php]$stmt = mysqli_prepare($dbc, "INSERT INTO table1 VALUES (NULL, ?, ?, ?, ?, ?, ?, ?, NOW(), NULL, NULL, NULL)"); 
 mysqli_stmt_bind_param($stmt, 'sssisss', $catagory, $title, $descrip, $price, $location, $pass, $email);
 mysqli_stmt_execute($stmt);
 $id = mysqli_insert_id($dbc);[/code]

@NogDogDec 30.2008 — #Sounds like a case of double-escaping. The bind_param function does its own escaping, so if you are using a variable which has been processed by mysqli_real_escape_string and then running it through a bind_param, then you are escaping it twice. So any variable being bound should [I]not[/I] be escaped first.

@TopkatauthorDec 30.2008 — #I think you are right! I took out the prepared statement and used "mysqli_query" to insert the record and it worked without putting in rn.

Last night I took out the prepared statement and used mysqli_query for updating and it still gave rn. Maybe some how it was being filtered twice.

Is it safe to not use mysqli_real_escape_string if the data is being run though a prepared statement? Double protection is always better, that's why I tried to use mysqli_real_escape_string with the prepared statement, but if I don't need it, I'll take it out..

Thanks for your time!

@NogDogDec 30.2008 — #Yes, it is safe. The binding process does the exact same escaping as the escape function does.

Also in #PHP _↴

array + checkbox mail not working :(Problem with date selection... PHP/mySQL

Success!

Help @Topkat spread the word by sharing this article on Twitter...

Tweet This

mysqli_real_escape_string adds rn

6 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

mysqli_real_escape_string adds rn

6 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

6 Comments(s) _↴

Also in #PHP _↴