I have an HTML form that sends a contact mail with PHP.
Everything goes well except for the body of the message that comes from a textarea, which will be filtered with both these functions:
1: mysql_real_escape_string()
OR
2:
function clean_data($input) {
$input = trim(htmlentities(strip_tags($input,",")));
if (get_magic_quotes_gpc())
$input = stripslashes($input);
$input = mysql_real_escape_string($input);
return $input;
}
when I put some line breaks, it converts to real visible
Instead of showing this:
Hello,
This is a test mail.
It shows this:
Hello, This is a test mail.
If I pass the string as is without validation it works well.
Whats the problem here?
Thanks.
OK I found it!
after escaping I did this:
str_replace(' ', PHP_EOL, $message)
and it works now perfectly.
Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, , , \, ', " and \x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
The only processing you need upon insertion is mysql_real_escape_string, but it is preferred that you use prepared statements perhaps with PDO or MDB2.
That said, you can use mysql_real_escape_string for validating textareas. Here's an example function:
function validateContent($txtInput)
{
if(isset($_REQUEST[$txtInput]))
{
$txtInput = $_REQUEST[$txtInput];
}
return mysql_real_escape_string(trim($txtInput));
}
Hope this helps!