12

I have read this post that discuss about converting html break tag into a new line in php. Other people said it's work for them but something weird happened to me.

this is the code I use: 

$breaks = array("<br />", "<br>", "<br/>");  
$jawaban = str_ireplace($breaks, "&#13;&#10;", $jawaban1);`

and this is the code they use : 

$breaks = array("<br />", "<br>", "<br/>");
$text = str_ireplace($breaks, "\r\n", $text);

both insert "\r\n" into the text , why is this happening ?
screenshot: this is picture , easter egg found !

if there's any previous post / PHP method let me know

EDIT : adding my code that echo the textbox 

<-- THIS WONT WORK -->
$username = $_SESSION['username'];
$unsafenomorsoal = $_POST['nomorsoal'];
$unsafejawaban = $_POST['jawaban'];
$nomorsoal = mysqli_real_escape_string($konek,$unsafenomorsoal);
$jawabannotcut = substr($unsafejawaban,0,50000);
$unsafejawabanfirst = nl2br($jawabannotcut);
$jawaban1 = mysqli_real_escape_string($konek,$unsafejawabanfirst);
$breaks = array("<br />","<br>","<br/>");
$jawaban = str_ireplace($breaks, PHP_EOL, $jawaban1);
$_SESSION['textvaluejawaban'] = $jawaban;

and this is what echoed : 

        echo "<div class=\"head-main-recent-background\"       style=\"background:white;width:99%;color:black;text-align:left;height:1000px;position:relative;top:130px;margin-top:10px;\">- Jawab   Soal -<br/>".$jawabanerror."<br/>Nama : ".$_SESSION['username']."<br/>
      <form method=\"post\" action=\"prosesjawabsoal.php\">
     <input type=\"hidden\" name=\"nomorsoal\"   value=\"".$_SESSION['nomorsoal']."\"/>
      Jawaban : <br/>
      <textarea placeholder=\"Max 40.000 Huruf\" style=\"overflow-  x:none;width:99%;height:300px;\" type=\"text\" name=\"jawaban\" maxlength=\"40000\" >".$_SESSION['textvaluejawaban']."</textarea>
       <br/>Captcha <br/>
            <div style=\"overflow:hidden;\" class=\"g-recaptcha\" data-   sitekey=\"6LfYQicTAAAAAFstkQsUDVgQ60x_93obnKAMKIM9\"></div><br/>
            <button type=\"submit\" name=\"submit\" style=\"margin-top:10px;height:auto;width:auto;\">Kirim Jawaban</button>
           </form>
            </div>";

Note : The snippet won't work because it's php
Sorry i used snippet due to error while posting the code !

EDIT :
tried preg_replace() method but still same result

EASTER EGG FOUND ! CODE 404 !

EDIT :
change title to tell that preg_replace not work

Community
  • 1
  • 1
i'm ashamed with what i asked
  • 526
  • 1
  • 4
  • 23

4 Answers4

7

Your problem is the mysqli_real_escape_string(). The converts the "\r\n" into a string to make it safe to input into the database. Remove it completely. Instead use htmlspecialchars when you output to screen:

echo htmlspecialchars($myUnsafeVar);

Apply these rules (as a starting point, there's always possible exceptions, but in rare cases):

  • use mysqli_real_escape_string when inputting strings into a database. It won't do what you expect when outputting to screen - so anything that has been mysql escaped() should not appear on screen.
  • use htmlspecialchars (which you don't have!) when outputting to screen.
  • use url_encode for adding stuff into a URL
  • There are also many different "escape" function (e.g. inserting into JSON, inserting into mysql, inserting into other databases). Use the right one for what you need - and don't use it for other purposes.

Check the functions for more details.

As it currently stands your code is not safe even with all those efforts - but it's really simple to fix!

Robbie
  • 17,605
  • 4
  • 35
  • 72
2

try with preg_replace() function and no need of \n\r both you can do with \n or PHP_EOL only

$jawaban = preg_replace('#<br\s*?/?>#i', "\n", $jawaban1);

or

$jawaban = preg_replace('#<br\s*?/?>#i', PHP_EOL, $jawaban1);
Haresh Vidja
  • 8,340
  • 3
  • 25
  • 42
  • no, this is a definitively correct answer. you did something else wrong. see https://3v4l.org/snq0P ... please provide the code you used to produce the sample. – TylerY86 Sep 24 '16 at 20:16
2

you must knowing these before working with strings:

  1. "\n\r" means new line.
  2. '\n\r' doesn't mean new line.
  3. &#13;&#10; doesn't mean new line. It's just HTML number for HTML Symbols. when you are using it, you mean just show \n\r in your browser. this is answer to your question:

both insert "\r\n" into the text , why is this happening?

so, after knowing that, you understand:

if your $jawaban1 string is

Hello <br> and welcome!

and your code is

$breaks = array("<br />", "<br>", "<br/>"); 
$jawaban = str_ireplace($breaks, "&#13;&#10;", $jawaban1);

It means, $jawaban will be exactly like this:

Hello &#13;&#10; and welcome!

without any \n\r and just your browser showing it like this:

Hello \n\r and welcome!

If you want to replace all br by \n\r just use the code in your question:

$breaks = array("<br />", "<br>", "<br/>");
$text = str_ireplace($breaks, "\r\n", $text);

About preg_replace()

When you can use str_ireplace, Don't use preg_replace. str_ireplace is faster.

Don't do it if you don't need it

in your code you did this:

$unsafejawabanfirst = nl2br($jawabannotcut);

and right after that you want to replace br with \n\r. It's like do and undo. I see that you are trying to show it again inside textarea element. so don't replace \n\r with br. the solution? don't change \n\r at all and if you want save it to the db just save it with \r\r. when you need it to show outside of textarea element just use nl2br function.

ICE
  • 1,667
  • 2
  • 21
  • 43
-2

There is always something that saves my day, it is actually a workaround and your question is a trigger for me to get deeper to this matter - once for all.

For now, here you go - nice & sleek workaround:

There is already nl2br() function that replaces inserts <br> tags before new line characters:

Example (codepad):

<?php
    // Won't work
    $desc = 'Line one\nline two';
    // Should work
    $desc2 = "Line one\nline two";
    echo nl2br($desc);
    echo '<br/>';
    echo nl2br($desc2);
?>
cske
  • 2,233
  • 4
  • 26
  • 24
Hrvoje Antunović
  • 781
  • 5
  • 15