nl2br() won't output line breaks, just 'n'

Question

It's pretty simple, I have a text area post on my website, and if I input:

line 1
line 2
line 3

into it, it outputs:

line 1nline 2nline 3

My insert code is:

    $status = strip_tags(stripslashes(htmlentities(mysql_real_escape_string($_POST['status']))));
    $uid = strip_tags(stripslashes(htmlentities(mysql_real_escape_string($_POST['uid']))));

    //more stuff

        $sid = rndTxt(16);
        $status = nl2br($status);
        if (!get_magic_quotes_gpc()) {
            $status = addslashes($status);
        }


    $insert = mysql_query("INSERT INTO mingle_status (uid,sid,status,`timestamp`) VALUES ('$uid','$sid','$status',now())") or
    print mysql_error();

and my output code:

while($st = mysql_fetch_assoc($statussql)) {
    $status = stripslashes($st['status']);
    $sid = $st['sid'];
    $td = $st['timestamp'];
?>
<div id="n">
<div id="statuses" class="<?php echo $sid; ?>">
<p><?php echo $status; ?></p>
<div id="statuscomadd" style="background:#E0E0E0;">
<a href="ld.php?uid=<?php $uid; ?>&pid=<?php echo $sid;?>&method=like">Like</a> <a href="ld.php?uid=<?php $uid; ?>&pid=<?php echo $sid;?>&method=dislike">Dislike</a><a href="#" id="time"><?php echo time_since($td) . " ago"; ?></a>
</div>  
</div>

Any help would be greatly appreciated!:)

that's some combo you have there: `strip_tags(stripslashes(htmlentities(mysql_real_escape_string(`, as a general guideline, you call `mysql_real_escape_string` when you insert stuff into db, and `htmlentities` only when you outputs html. — Andreas Wong, Jun 25 '12 at 09:24
you'll be wanting to use `mysql_real_escape_string` for escaping your input - addslashes won't cut it — Mikey, Jun 25 '12 at 09:24
Maybe use `nl2br()` before you `stripslashes()` and everything else that happens on the first two lines in the above pasted code. — Havelock, Jun 25 '12 at 09:24
Is your purpose to actually replace linebreaks with
or maintaining the linebreaks? the "n" thing you're getting looks like it comes from `stripslashes` where \n is turned into simply n. Edit: I suggest leaving the linebreak alone and using ln2br when you want to output it in html, rather than insert it to you db. — Geekfish, Jun 25 '12 at 09:26
You're vulnerable to SQL Injection here, because you're also calling stripslashes. So that hunk of code does nothing except to mungle up your input. — ircmaxell, Jun 25 '12 at 15:59

score 2 · Accepted Answer · answered Jun 25 '12 at 09:24

2

you dont need to use nl2br() on insert, you will have to use it while displaying in html

and will have to remove stripslashes before insert

answered Jun 25 '12 at 09:24

Raab

34,778
4
50
65

score 1 · Answer 2 · answered Jun 25 '12 at 09:31

When inserting just do a mysql_real_escape_string() over the values. You only want to change the data (e.g. by using htmlentities() when you are going to display it).

Please also consider to stop using mysql_* functions for new code. They are no longer maintained and the community has begun the deprecation process. See the red box? Instead you should learn about prepared statements and use either PDO or MySQLi. If you can't decide, this article will help to choose. If you care to learn, here is a good PDO tutorial.

Another thing: do you realy need htmlentities()? Because imo a better solution is to use htmlspecialchars(). Otherwise all html entities will be replaced.

Also I don't think you need to use strip_tags(), because you are already doing htmlspecialchars() to protect you against XSS.

Now for you problem is it because you are using stripslashes() which breaks the \n linebreaks. I think you can just drop those add/stripslashes.

score 0 · Answer 3 · edited May 23 '17 at 12:27

0

You use strip_tags(stripslashes(htmlentities(mysql_real_escape_string()))); which strips the slashes from \n.

Just use mysql_real_escape_string(), or htmlentities( ,ENT_QUOTES) for HTML.

Also, if it's possible use an UTF-8 encoding and htmlspecialchars() instead of htmlentities(). htmlentities() converts every character which has an HTML-representation, while htmlspecialchars() converts only the necessary characters. There's no need to convert everything. See: htmlentities vs htmlspecialchars

edited May 23 '17 at 12:27

Community

1
1

answered Jun 25 '12 at 09:25

ONOZ

1,390
2
11
19

Why `htmlentities()` instead of `htmlspecialchars()`? – PeeHaa Jun 25 '12 at 09:27
Because the question did not state the used charset, and htmlentities works on more charsets than htmlspecialchars. – ONOZ Jun 25 '12 at 09:32
Since when? And what encoding isn't supported by `htmlspecialchars()`? – PeeHaa Jun 25 '12 at 09:34
ASCII and LATIN-1 for example. The question uses `htmlentities()` too, so I thought it was safer to use that one. Anyway, I'll add something about this in my answer. – ONOZ Jun 25 '12 at 09:38
Where is that documented (honest question)? Because AFAIK the supported encodings of both are the same. – PeeHaa Jun 25 '12 at 09:42
2

@ONOZ: That's BS. [htmlspecialchars](http://lxr.php.net/xref/PHP_5_4/ext/standard/html.c#1475) and [htmlentities](http://lxr.php.net/xref/PHP_5_4/ext/standard/html.c#1529) use the exact same implementation. Therefore, they work on the exact same number of charsets. Use the correct API, which in 99.9% of cases (including this one) is `htmlspecialchars`... – ircmaxell Jun 25 '12 at 15:57
Okay, thanks. I found it here btw: http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars – ONOZ Jun 26 '12 at 16:40

nl2br() won't output line breaks, just 'n'

3 Answers3