I'm using following function before insertion html markup data into db table
function html($data, $db)
{
$data = $db->escape_string($data);
return $data;
}
But there is problem: i see "/" - slash before every " symbol For ex.
<p style=\"margin-top: 15px; margin-right: 0px; margin-bottom: 10px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 10px; padding-left: 0px; \">
How to deal with that problem?
No, it depends on what your escape_string() function does. And, moreover, wheter you have magic_quotes_gpc directive turned on or off (it should be off by default).
In order to insert safely into a database, you need to use mysql_real_escape_string() . NO addslashes(), NO home-brewed functions, but that one. Or, even better, use parametrized queries which lifts off your work of escaping quotes. Try with PDO
EDIT :
saw now the mysqli tag, so mysql_real_escape_string() is not an option, but the magic_quotes directive could still be the culprit for this.
In case you have magic_quotes on you can either turn them off in your PHP ini, through ini_set('magic_quotes_gpc',0); , .htacces php_flag magic_quotes_gpc Off or have a simple function like this:
function escape($value)
{
if(get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
//return mysql_real_escape_string($value); changed after update
return $value;
}
Be sure to have an open connection before using mysql_real_escape_string() or it will return FALSE.
Also, html DOESN'T NEED TO BE ESCAPED before going into a database. I mean, you need to escape YOUR QUERIES, and you achieve that by the methods I mentioned. Html and its maliciousness DOES NOTHING to the database.
Html needs to be escape ON OUTPUT, and only then, and you use htmlentities() at minimum, but further action is required in order to escape any possibile XSS injection vulnerabilities. It's a complex subject, it requires a lot of work in order to escape invisible control characters, malicious tags, and so on. You need to make further reasearch into this , and start reading about XSS Injection threats.
Anyway, not allowing a code to be executed on the browser is a start for this. Don't allow users to write html directly on your page (the same advice applies not only on user-submitted inputs, but on everything that comes from outside, like a $_GET parameter, or a Cookie, or even hidden form values) or you'll easily have a <script></script> dangerous problem, that can lead to cookie stealing, bad redirecting, traffic hijacking, an so many things I can't list here. USually htmlentities() provides a good level of protection against that, even though its output mithgt not be pretty.
Call to undefined function magic_quotes_gpc() 
get_magic_quotes_gpc() php.net/manual/en/function.get-magic-quotes-gpc.phpmysql_real_escape_string is the answer
http://php.net/manual/en/function.mysql-real-escape-string.php
mysql_escape_string is depreciated in mysql_*, but in mysqli mysqli_escape_string is the same as mysqli_real_escape_string, is the same as db->escape_string, very annoying these inconsistencies.
Your are getting with "/" because server is enabled the magic_quotes_gpc. you have to check the magic_quotes_gpc is enable or not.
if (get_magic_quotes_gpc()) {
$text = stripslashes($text);
}
else {
$text = $text;
}
use get_magic_quotes_gpc() to check.
I'm using http://php.net/manual/en/function.htmlspecialchars.php and http://www.php.net/manual/en/function.htmlspecialchars-decode.php to store html in the database.
