I'm having a bit of trouble finding what i need on the net....

I'm creating a news input section for a website. To insert the news into the MYSQL database the user fills out a form. If the user wants paragraphs he/she would hit ENTER twice to leave a nice gap. But the text doesn't stay in this format, ope u follow what i mean?

Any ideas? Or anyone point me in the right direction of the correct info?

Any help is much appreciated

[edit] I think i found a solution: http://forums.devshed.com/show ... ?p=736835&postcount=4

http://php.net/nl2br

Thats what you want to apply the text coming out of the database. Remember text input != (x)HTML.

yeah, you basically have to make a string replace of "\n" with "<br>"

also, if you want spaces infront of some text to actually indent it, you have to replace those with  

E: Also, beware of SQL injections and all that funny stuff.

Quote from AndroidXP :

E: Also, beware of SQL injections and all that funny stuff.

like what? If i run the nl2br after pulling from the DB it should be ok?

Quote from nikimere :

like what? If i run the nl2br after pulling from the DB it should be ok?

No. You should read about best practises regarding user input and what you can do to neuter anything malicious that might get sent.

BTW: nl2br() is a nice quick n' dirty way to format paragraphs, but then you don't have proper block-level markup around each one. If you want to be fancy you should use str_replace() to insert </p><p> for two newlines, then <br /> for one newline, then stick opening and closing <p> tags at the beginning and end of the string. Eg:

$patterns = array(0=>"\r\n", 1=>"\r", 2=>"\n\n", 3=>"\n");
$replacements = array(0=>"\n", 1=>"\n", 2=>"</p><p>", 3=>"<br />");
$str = str_replace($patterns, $replacements, $input);
if (substr($str, 0, 3) != "<p>") {
$str = "<p>" . $str;
}
if (substr($str, -4) != "</p>") {
$str .= "</p>";
}

Where $input contains what your user submitted. That should do it.

Quote from nikimere :

like what? If i run the nl2br after pulling from the DB it should be ok?

Nono, when reading from the DB it's already too late. The problem is when you directly insert user written text into your query string without taking precautions.

For example, your SQL insert is something like this:
mysql_query("INSERT INTO news (n_username, n_newstext) VALUES ('$user_name', '$user_text')")

where $user_text is the user written text obviously.

Now, what happens if our witty user writes " '); DELETE FROM news; " as his "news post"?

MySQL sees this:
INSERT INTO news (n_username, n_newstext) VALUES ('h4x0r', ''); DELETE FROM news;')

Whoopdedoo, gone are your news posts. (The last part of the statement is obviously invalid, but MySQL ignores that.)

To solve this
1) always put the pasted values in ' ' (as I've done already in the example)
2) str_replace all ' from the text with \' <- IIRC there even is a own function for that, didn't touch php for a while so I don't remember.

Quote from AndroidXP :

2) str_replace all ' from the text with \' <- IIRC there even is a own function for that, didn't touch php for a while so I don't remember.

addslashes()

You also might want to find out if gpc_magic_quotes is enabled on your PHP installation (run phpinfo() or check php.ini).

Don't forget XSS attacks folks.
By inserting malicous JS in to the mix, it will get stored in the DB, and echoed straight on to a page where JS may potentially have access to login cookies which could be used to fake authentication. You could run all display vars through htmlentities before display, but if you want to be able to provide links and such in the text then that won't work.

Check out this site for a solution. (Menu & download is in top right)

http://cyberai.com/inputfilter/

Besides security, you probably will have problems with spammers, to avoid or rather make their work futile, use the googleoff and rel=nofollow tags in all user posted content and urls.
http://www.oit.duke.edu/ows/go ... cumentation.html#googleon
http://googleblog.blogspot.com ... venting-comment-spam.html

On one forum I administer, I just cleaned close to 100 spam users. All "they" did was register and put some pron page as their homepage address, kinda sneaky took awhile before I noticed Now I have enabled CAPTCHA to hopefully prevent that in the future.

It's great to see all these security things i need to look out for but there will only be selected people (chosen by me) that will be able to input text into the DB. So hopefully i wont have to worry about any of these issues.

Even then, I'd rather make sure nothing can happen than to trust the unhackability of the "few chosen ones" passwords.

Quote from AndroidXP :

Even then, I'd rather make sure nothing can happen than to trust the unhackability of the "few chosen ones" passwords.

very true

Take a look at this function aswell, mysql_real_escape_string.

What it does, is pretty much what have been told here earlier. An easy way to prevent injection of sql-statements