How to make TEXTAREA form secure when displaying it's content?

Hello. I'm new on this forum. I couldn't find answer using google so i decided to post here. I hope someone could help me.

My problem is:

I'm creating a web page where you can post announcements (for example: job offers, houses, dogs, other pets for sale and so on...

When i try to add a description of each announcement using:

<form action=ad_verify.php method=post>
<textarea rows="10" cols="114" name="area">Put a text here</textarea>
<input type=submit value="Add an ad">

HTML:

I know that if someone uses many spaces and new lines i need to use:

$adcontent = nl2br($_POST['$area']);

PHP:

and now i can add it's content into database:

mysql_query("SET NAMES utf8");
mysql_query("INSERT INTO ad_list(id, advert) VALUES('', '$adcontent' '')") or die (...);

PHP:

Ok. So far is ok. I know what to do. But when i will try to show this ad:

// user selects which ID to show (...)

 $result = "SELECT * from ad_list WHERE id = '$ad_number''";
 $selected_ad = mysql_query($result) or die("Database is unavailable.\n");

 $row = mysql_fetch_array($selected_ad);

 echo " <table border='0' width='900' bgcolor='#808080' id='main_table'>";
 echo "  <tr>";
 echo "   <td>";
 echo     nl2br($row['advert']);
 echo "   </td>";
 echo "  </tr>";
 echo " </table>";

PHP:

There is a high risk that someone could - aside from a real ad - put here a script that may be dangerous for data stored in my database.

How to convert text (for example: when someone will try to add echo "<font color='red'>sometext</font>) that will be shown EXACTLY AS in database?

I read somewhere that i need to use addslashes() and htmlentities()? Tried - no correct result.

Another question is:

When i try to EDIT stored previously ad using:

 $result = "SELECT * from ad_list WHERE id = '$ad_number''";
 $selected_ad = mysql_query($result) or die("Database is unavailable.\n");
 $row = mysql_fetch_array($selected_ad);

 <textarea rows='10' cols='114' name='edit_ad'>";
 echo nl2br($$row['advert']);
 echo "</textarea>";

PHP:

text has no new lines but "<br />. How should i convert <br /> to a new line?
I tried to use:

$$row['advert'] = str_replace('<br />', "\n", $$row['advert']);

PHP:

but still no result

Screen showing page where we add an advert:



But when advert is taken from database it does look like:



Editing already added advert looks like:



Thanks for ALL help. I hope this description of my problem would be enough!

 

Use:

echo htmlspecialchars($row['advert']);

PHP:

That's all you need to do.

 

exam. Unfortunately one from two problems are still not solved. But one is ok .

First. Adding:



Now look how does your tip work:



But editing looks fine, as it should be:



Any ideas what i'm still doing wrong?

 

Ok. I found a part-solution:

This method:

echo nl2br(stripslashes(htmlentities($row['advert'], ENT_QUOTES, 'UTF-8')));

PHP:

Gives me thore results:

Adding text:



I would like to do it the way that displaying result should look exactly like text when typing in but unfortunately it looks:



Also when try to edit already added post:



How to force php to display code AS IT WAS TYPED IN?

 

No need to go through all of these functions.

When you add the data to the database use mysql_real_escape_string:

$adcontent = mysql_real_escape_string($_POST['area']);

PHP:

Now to display it back as it was, use the strip slashes and replace the newlines (which the database escape did):

echo "<textarea rows='10' cols='114' name='edit_ad'>";
 echo stripslashes(str_replace('\r\n',PHP_EOL,$$row['advert']));
 echo "</textarea>";

PHP:

 

ThePHPMaster - displaying it within <textarea> seems fine! Thank you. I will check later if this code will display it also on "normal" pages (outside <textarea>). Today i don't have a time. Thanks!

 

It won't, you will have to change the PHP_EOL to something like <br />

PHP_EOL works on a system level (\n).

You can not have the same statement for both the textarea and the browser, since the browser sees <br /> as a newline and the textarea sees \n as the newline.