How do I retrieve "escaped" strings from db?

Question

I'm doing this to all strings before inserting them:

mysql_real_escape_string($_POST['position']);

How do I remove the: \ after retriving them?

So I don't end up with: \"Piza\"

Also is this enough security or should I do something else?

Thanks

...though really, you should just use PreparedStatement instead of mysql_real_escape_string(). — Matt Ball
– Matt Ball, Commented Jul 30, 2011 at 1:29
there shouldn't be any slashes on it after retrieving it back from the database, unless you've double escaped it. @Matt: why? if he properly escapes everything, what difference does it make? (i'm honestly curious) — mpen
– mpen, Commented Jul 30, 2011 at 1:42
@Mark see the sql-injection FAQs. Start with these: stackoverflow.com/questions/60174 stackoverflow.com/questions/110575 stackoverflow.com/questions/714704 — Matt Ball
– Matt Ball, Commented Jul 30, 2011 at 2:00

Joshua · Accepted Answer · 2011-07-30 01:27:44Z

2

I would suggest you call $_POST['position'] directly (don't call mysql_real_escape_string on it) to get the non-escaped version.

Incidentally your comment about security suggests a bit of trouble understanding things.

One way of handling strings is to handle the escaped versions, which leads to one kind of difficulty, while another is to handle another and escape strings just before embedding, which leads to another kind of difficulty. I much prefer the latter.

answered Jul 30, 2011 at 1:27

Joshua

43.6k9 gold badges80 silver badges153 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Sabeen Malik · Accepted Answer · 2011-07-30 01:37:06Z

1

use stripslashes() to get rid of the escape character.

Escaping is great. In case the value is going to be integer , I would suggest you do it like:

$value = (int) $_POST['some_int_field'];

This would make sure you always end up with an integer value.

edited Jul 30, 2011 at 1:37

answered Jul 30, 2011 at 1:28

Sabeen Malik

10.9k4 gold badges37 silver badges51 bronze badges

Comments

Crakken · Accepted Answer · 2012-07-04 22:03:22Z

1

It could be because magic quotes are enabled, so to make it versatile, use this:

if (get_magic_quotes_gpc()) { // Check if magic quotes are enabled
        $position = stripslashes($_POST['position']);
    } else {
        $position = mysql_real_escape_string($_POST['position']);
}

answered Jul 4, 2012 at 22:03

Crakken

211 bronze badge

Comments

Night Owl · Accepted Answer · 2011-07-30 04:42:52Z

0

mysql_real_escape_string() does add \s in your SQL strings but they should not be making it into the database as they are only there for the purpose of string parsing.

If you are seeing \s in you database then something else is escaping your stings before you call mysql_real_escape_string(). Check to make sure that magic_quotes_gpc isn't turned on.

answered Jul 30, 2011 at 4:42

Night Owl

4,2034 gold badges30 silver badges38 bronze badges

2 Comments

lisovaccaro Over a year ago

I'm using PHPMyAdmin, how do I find if it's turned on?

Night Owl Over a year ago

I'm not sure that that setting is visible in phpMyAdmin but creating a page with this single line... <?php phpinfo();?> and running it on your server will show all of your PHP settings. Search for "magic_quotes_gpc" without the quotes and you will see either "On" or "Off". This page will be a slight security hazard so delete it after you use it or give it a cryptic name.

Collectives™ on Stack Overflow

How do I retrieve "escaped" strings from db?

4 Answers 4

Comments

Comments

Comments

2 Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

Comments

Comments

Comments

2 Comments

Linked

Related