str_ireplace or preg_replace replaced break tag into \r\n

Question

I have read this post that discuss about converting html break tag into a new line in php. Other people said it's work for them but something weird happened to me.

this is the code I use:

$breaks = array("<br />", "<br>", "<br/>");  
$jawaban = str_ireplace($breaks, "&#13;&#10;", $jawaban1);`     

and this is the code they use :

$breaks = array("<br />", "<br>", "<br/>");
$text = str_ireplace($breaks, "\r\n", $text);

both insert "\r\n" into the text , why is this happening ?
screenshot:

if there's any previous post / PHP method let me know

EDIT : adding my code that echo the textbox

<-- THIS WONT WORK -->
$username = $_SESSION['username'];
$unsafenomorsoal = $_POST['nomorsoal'];
$unsafejawaban = $_POST['jawaban'];
$nomorsoal = mysqli_real_escape_string($konek,$unsafenomorsoal);
$jawabannotcut = substr($unsafejawaban,0,50000);
$unsafejawabanfirst = nl2br($jawabannotcut);
$jawaban1 = mysqli_real_escape_string($konek,$unsafejawabanfirst);
$breaks = array("<br />","<br>","<br/>");
$jawaban = str_ireplace($breaks, PHP_EOL, $jawaban1);
$_SESSION['textvaluejawaban'] = $jawaban;

and this is what echoed :

        echo "<div class=\"head-main-recent-background\"       style=\"background:white;width:99%;color:black;text-align:left;height:1000px;position:relative;top:130px;margin-top:10px;\">- Jawab   Soal -<br/>".$jawabanerror."<br/>Nama : ".$_SESSION['username']."<br/>
      <form method=\"post\" action=\"prosesjawabsoal.php\">
     <input type=\"hidden\" name=\"nomorsoal\"   value=\"".$_SESSION['nomorsoal']."\"/>
      Jawaban : <br/>
      <textarea placeholder=\"Max 40.000 Huruf\" style=\"overflow-  x:none;width:99%;height:300px;\" type=\"text\" name=\"jawaban\" maxlength=\"40000\" >".$_SESSION['textvaluejawaban']."</textarea>
       <br/>Captcha <br/>
            <div style=\"overflow:hidden;\" class=\"g-recaptcha\" data-   sitekey=\"6LfYQicTAAAAAFstkQsUDVgQ60x_93obnKAMKIM9\"></div><br/>
            <button type=\"submit\" name=\"submit\" style=\"margin-top:10px;height:auto;width:auto;\">Kirim Jawaban</button>
           </form>
            </div>";

Note : The snippet won't work because it's php
Sorry i used snippet due to error while posting the code !

EDIT :
tried preg_replace() method but still same result

EDIT :
change title to tell that preg_replace not work

Answer 1

Your problem is the mysqli_real_escape_string(). The converts the "\r\n" into a string to make it safe to input into the database. Remove it completely. Instead use htmlspecialchars when you output to screen:

echo htmlspecialchars($myUnsafeVar);

Apply these rules (as a starting point, there's always possible exceptions, but in rare cases):

• use mysqli_real_escape_string when inputting strings into a database. It won't do what you expect when outputting to screen - so anything that has been mysql escaped() should not appear on screen.
• use htmlspecialchars (which you don't have!) when outputting to screen.
• use url_encode for adding stuff into a URL
• There are also many different "escape" function (e.g. inserting into JSON, inserting into mysql, inserting into other databases). Use the right one for what you need - and don't use it for other purposes.

Check the functions for more details.

As it currently stands your code is not safe even with all those efforts - but it's really simple to fix!

Answer 2

try with preg_replace() function and no need of \n\r both you can do with \n or PHP_EOL only

$jawaban = preg_replace('#<br\s*?/?>#i', "\n", $jawaban1);

or

$jawaban = preg_replace('#<br\s*?/?>#i', PHP_EOL, $jawaban1);