WEB Simple problem: php str_replace

Discussion in 'OT Technology' started by Ricky, Jan 4, 2009.

  1. Ricky

    Ricky █▄ █▄█ █▄ ▀█▄

    Joined:
    Jun 17, 2005
    Messages:
    38,767
    Likes Received:
    6
    When i enter in 1 line with my text it works great.

    But the second i have a blank/second line it fucks up.

    This is my script:

    Code:
    <form action="index.php" method="post"> 
    <label>Type your text here:<br /> </label>
     <textarea name="text" rows="10" cols="40"> </textarea>
    <br /> 
    <input type="submit" value="Brosify" /> 
    </form>
    <?php
    
    $wordstoreplace = array("boy", "sir", "mister", "dog", "homie");
    $search= mysql_real_escape_string(htmlentities($_POST["text"]));
    $replacement = str_replace($wordstoreplace, "bro", "$search");
    echo $replacement; 
    ?>
    
    This is what i enter in:

    And my results:

    I'm sure it's simple. I just suck :o
     
  2. Karnejj

    Karnejj “A true conservative is one who can't see any diff OT Supporter

    Joined:
    Jan 9, 2008
    Messages:
    35,585
    Likes Received:
    0
    Location:
    UPGRADED USA Shutdown Today:8 derps
    Where's the problem, exactly? Seeing as both "mister" and "sir" were replaced as desired, your results don't look "fucked up"......
     
  3. TurkeyChicken

    TurkeyChicken New Member

    Joined:
    Jun 26, 2003
    Messages:
    42,913
    Likes Received:
    0
    Location:
    Albuquerque, NM
    i think it's being caused by your mysql_real_escape_string() and htmlentities() functions or something. Try running it on just the raw $_POST data and see what happens.
     
  4. whup

    whup I wish you had children and.. so that I could step

    Joined:
    Feb 12, 2007
    Messages:
    1,603
    Likes Received:
    0
    Don't mysql_real_escape_string stuff unless it's about to get put into a SQL query.
     
  5. Ricky

    Ricky █▄ █▄█ █▄ ▀█▄

    Joined:
    Jun 17, 2005
    Messages:
    38,767
    Likes Received:
    6
    i only did that before i forget.

    I was planning on integrating a database into it
     
  6. Ricky

    Ricky █▄ █▄█ █▄ ▀█▄

    Joined:
    Jun 17, 2005
    Messages:
    38,767
    Likes Received:
    6
    how\'s it going today bro\r\nits going great bro


    noting the \r\ and \'
     
  7. whup

    whup I wish you had children and.. so that I could step

    Joined:
    Feb 12, 2007
    Messages:
    1,603
    Likes Received:
    0
    It's that which is escaping characters and screwing up the string. Only call it RIGHT before you create the query; if you do it to strings before manipulating them then you'll get trouble like this.

    e.g.

    Code:
    $value = htmlentities($_GET['blah']);
    *do stuff to $value*
    $db->query('INSERT INTO blah... ' . mysql_real_escape_string($value));
    *can do more stuff to $value now if we want to as well*
    
     
  8. 95vr4

    95vr4 OT Supporter

    Joined:
    Oct 6, 2004
    Messages:
    2,513
    Likes Received:
    0
    Location:
    Weddington, NC
    Just use comments for shit like that.

    Code:
    <form action="index.php" method="post"> 
    <label>Type your text here:<br /> </label>
     <textarea name="text" rows="10" cols="40"> </textarea>
    <br /> 
    <input type="submit" value="Brosify" /> 
    </form>
    <?php
    
    $wordstoreplace = array("boy", "sir", "mister", "dog", "homie");
    $search= htmlentities($_POST["text"]);
    $replacement = str_replace($wordstoreplace, "bro", "$search");
    echo $replacement; 
    //***************************************************
    //              DON"T FORGET TO ESCAPE ALL STRINGS BF INSERTING   
    //                  IN QUERY SO WE DONT GET FUCKING HAXORED
    //
    //***************************************************
    ?>
    
    More effective anyway :hsd:
     
  9. whup

    whup I wish you had children and.. so that I could step

    Joined:
    Feb 12, 2007
    Messages:
    1,603
    Likes Received:
    0
    If you want to make comments like that, you should use a TODO as most IDEs will pick that up and put it in the Task List or with the errors/warnings/notices

    e.g.

    // TODO Escape to prevent SQL injection
     
  10. Yahdude

    Yahdude New Member

    Joined:
    Jun 21, 2006
    Messages:
    1,211
    Likes Received:
    0
    Location:
    PC, UT
    are you for hire?
     
  11. Karnejj

    Karnejj “A true conservative is one who can't see any diff OT Supporter

    Joined:
    Jan 9, 2008
    Messages:
    35,585
    Likes Received:
    0
    Location:
    UPGRADED USA Shutdown Today:8 derps
    \r\n is just the code for a line break [and technically a carriage return]



    You asked for those backslashes with the mysql_real_escape_string function. I usually do some minimal sanitization of incoming data as one of the first actions, but, as advised already in this thread, I would generally save mysql_real_escape_string for the moment I'm doing the database query.

    If you want to clean up the data a bit before you do anything with it, then you might want to look into a few simple regex's .... strip out non-numerics or non-alphabetics, where appropriate.
     
  12. Ricky

    Ricky █▄ █▄█ █▄ ▀█▄

    Joined:
    Jun 17, 2005
    Messages:
    38,767
    Likes Received:
    6
    thanks guys
     
  13. rodman8600

    rodman8600 OT Supporter

    Joined:
    Sep 6, 2003
    Messages:
    13,542
    Likes Received:
    6
    Location:
    South Bay, CA
    explode on a carriage return. then traverse through the array to get str_replace.

    $0.02.
     

Share This Page