Reputation: 20163
broken links and styles on form post to mysql, is it because of mysql_real_escape_string?
in order to keep safe was told to
use mysql_real_escape_string before sending to Mysql if i'd be displayed
well i do:
....
$b = mysql_real_escape_string($b);
$r_int = mysql_real_escape_string($r_int);
$r_ext= mysql_real_escape_string($r_ext);
$id_tmp = $_SESSION['id'];
$insert = "INSERT INTO table (nombre, coment, iduser,fecha)
VALUES ('$b','$r_int','$id_tmp',NOW())";
....
But if those values contained any <a href="where">go</a> it will turn into <a href="\where\">go</a>
and.. i can't go! haha,
how can i solve this and keep safe?
thank you!
Upvotes: 0
Views: 71
Answers (2)
Reputation: 360702
Sounds like you might have magic_quotes_gpc or one of its ilk turned on. Older PHP versions auto-escaped everything, so by doing mysql_real_escape_string() (as you should be), you actually added another layer of escaping.
The proper solution is to turn off the magic quotes. They're deprecated and SHOULD be off, and you keep on using mysql_real_escape_string().
NOTE: Turning off magic_quotes has to be done from php.ini, or via a php_value in httpd.conf/.htaccess. You can't do it from an in-script ini_set(), because by the time that ini_set executes, PHP's already done the magic quoting.
Upvotes: 2
Reputation: 1395
stripslashes function of PHP
echo stripslashes($string);
takes out the slashes and displays it like it was originally
Upvotes: 1
Related Questions
- mysql_real_escape_string and ’
- Why mysql_real_escape_string doesn't work on $_POST?
- Mysqli_real_escape_string not recognizing link
- mysqli_real_escape_string($link,$_REQUEST) for all variables
- Escape characters appearing in MySQL
- mysqli_real_escape_string mysqli link?
- mysql_real_escape_string doesn't work with post PHP
- mysql_real_escape_string distorts user input - how to fix
- mysql_real_escape_string not good enough?