I'm trying to split up the POST data of a text form field. I want the data split by each line, using the explode() function
So first I check the POST result for strange characters;
$mails = mysql_real_escape_string($_POST["emails"]);
Then I run this, which doesn't work
$emails = explode("
", $mails);
What am I doing wrong? Is it not ? Is my sql escape bit messing me up?
You could also convert the new lines to breaks, then explode from the <br />s:
$mails = mysql_real_escape_string(nl2br($_POST["emails"]));
$emails = explode("<br />", $mails);
So first I check the POST result for strange characters;
$mails = mysql_real_escape_string($_POST["emails"]);
Some news here: No you did not. You just did something without understanding what you did. That is just doing strange not checking something for something strange.
And then you need to explode on the line-separator character used. Looks like it was not " ", next try is " " and "" as well:
$emails = preg_split("/\R/u", $_POST["emails"], -1, PREG_SPLIT_NO_EMPTY);
(assuming you've got UTF-8 input)
Try something like this:
function guessLineEndings( $aString ) {
assert( is_string( $aString ));
if ( FALSE !== strpos( $aString, "
" )) {
return 1;
} else if ( FALSE !== strpos( $aString, "
" )) {
return 2;
} else if ( FALSE !== strpos( $aString, "" )) {
return 3;
} else {
return -1;
}
}
Note, that you can't guess an line endings, if input is a single line.
And don't forget this, if you run dynamic SQL-queries:
Never use escaping using e.g. mysql_real_escape_string()! Always use prepared statements!
Pleas review OWASP's PHP Security Cheat Sheet to learn about this: Escaping is not safe!