Posted by charlespb69 on 08/15/07 00:40

On Aug 13, 6:29 am, Rik <luiheidsgoe...@hotmail.com> wrote:
> On Mon, 13 Aug 2007 15:12:15 +0200, Pugi! <pugin...@gmail.com> wrote:
> > Before I save input from a form to a database I use (after input
> > filtering) mysql_real_escape_string.
> > This means that blabla 'blabla' ... -> blabbla \'blabla\' ...
>
> No, it means the characters that need escaping are escaped when inserting
> in the database, so the data in the database is _the_same_ as your
> original string. Unless somthing like magic_quotes_gpc() is enabled, in
> which case you should use stripslashes() on the string before using
> mysql_real_escape_string() on it.
>
> > To display this data from database in browser, I use stripslashes and
> > htmlentities.
> > So far so good.
>
> Nope, just drop the stripslashes.
> --
> Rik Wasmus

When using mysql_real_escape_string you don't need to use stripslashes

• Next in forum: Re: output escaping problem
• Prev in forum: Re: mysql_real_escape_string necessary when using prepared statements
• Thread view: Re: output escaping problem

[Reply to this message]