Posted by Rik on 08/13/07 13:29

On Mon, 13 Aug 2007 15:12:15 +0200, Pugi! <puginews@gmail.com> wrote:

> Before I save input from a form to a database I use (after input
> filtering) mysql_real_escape_string.
> This means that blabla 'blabla' ... -> blabbla \'blabla\' ...

No, it means the characters that need escaping are escaped when inserting
in the database, so the data in the database is _the_same_ as your
original string. Unless somthing like magic_quotes_gpc() is enabled, in
which case you should use stripslashes() on the string before using
mysql_real_escape_string() on it.

> To display this data from database in browser, I use stripslashes and
> htmlentities.
> So far so good.

Nope, just drop the stripslashes.
--
Rik Wasmus

• Next in forum: mysql_real_escape_string necessary when using prepared statements
• Prev in forum: output escaping problem
• Thread view: Re: output escaping problem

[Reply to this message]