How to stop CKEditor producing \r\n characters automatically when data is sanitized in PHP?-ThrowExceptions

Exception or error:

I am having a problem regarding data coming from CKEditor textarea field. I am using CKEditor 4.4.1. Whenever I try to submit the content of CKEditor it generates characters \r\n again and again. But it happening only when I am sanitizing my incoming data. Here is my function which sanitizes the incoming content –

// filter user input
public function filter_data($input)
{
    // if magic quotes are on
    if(get_magic_quotes_gpc()) 
    {
        $input = stripslashes($input);
    }
    $sanitized_data = mysqli_real_escape_string($this->con, trim($input));
    return $sanitized_data;
}

And this is how I am calling the above function –

$post_content = $users_obj->filter_data($_POST['txtpostcontent']);

And then I am getting following output in CKEditor –

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat.

\r\n\r\n

\r\n\r\n

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat.

\r\n\r\n

But when I don’t call the above function then everything is fine and there is no characters like \r\n in my content.

So I want to know how can I stop these characters from being produced automatically by keeping my sanitizing function on? Is there any way I can sanitized my content and also don’t get these characters as well? Thanks.

How to solve:

one more thing is helpful :

$text = str_ireplace(array("\r","\n",'\r','\n'),'', $text);

Answer:

Use stripcslashes(). I had the same problem in ckeditor 4. I tried many solutions from stack overflow and documentation but nothing worked. So I tried a php function stripcslashes(). Use it where you output the data and where you edit the data.

Answer:

I have fixed the problem and it turns out to be a very simple setting. In config.js I simply set:

config.FormatOutput = false ;

And it works no more stupid \r\n inserted into my html

Answer:

If you are using mysqli_real_escape_string() in php remove this.

Edit: For prevent Injection use prepare() statement.

Edit 2: If still want to use mysqli_real_escape_string(); you can use-

$text = mysqli_real_escape_string($conn, $_POST["description"]);
$description = str_ireplace(array("\r","\n",'\r','\n'),'', $text);

Answer:

Can try this

$text = str_ireplace(['\\\\r', '\\\\n'], "", $text);

Answer:

The \r\n is a result of mysqi_real_escape_string escaping new line characters as specified in the php documentation.

If you’re only concerned about debugging then you don’t need to worry about these. If it’s causing you problems because you’re using the result for something other than a mysqli function, then you’ll need to use a different sanitization that is designed for your use case.

As others have said, it’s better to use prepared statements if that’s an option.

Answer:

Please stop sanitizing data using functions like filter_data. This is not the correct way to do it. In fact the phrase “sanitization” is very ambiguous. It means that you want to remove some information from your data. Most of the time you do not want your application to do that. The data entered by the user should stay as it is. You should design your application in such a way, so that it is able to handle whatever data the user presents.

Magic quotes have been removed from PHP long time ago and get_magic_quotes_gpc() is not there anymore.

mysqli_real_escape_string() should only ever be used if you need to format a string literal for use in SQL statements, something which is almost never needed if you are using parameter binding with prepared statements.

The reason why you have this problem is because you are using this function, which harms your data. Please stop using it and use proper security measures.

Leave a Reply

Your email address will not be published. Required fields are marked *