Results 1 to 2 of 2
Jan 15, 2013, 13:21 #1
- Join Date
- Aug 2009
- Pacific Northwest
- 0 Post(s)
- 0 Thread(s)
retreive MySQL data after mysqli_real_escape_string
OK, somewhere this has been answered but my searching was not fruitful in finding it and I am new at the SQL injection stuff.
I have a form where a user inputs some information. After the user clicks Submit, the form info is then checked for injection attacks as follows (there are 15 data inputs and this is the same way but only showing one):
Now, I want to retrieve that data onto a webpage but do NOT want the slashes in it to show. I am not sure how to write the select statement to possibly use stripslashes or is there another/better way to do this?
BTW, my provider is using PHP 5.2 but said I could upgrade to their 5.4 area if I want so would like to make this work at both levels.
Jan 15, 2013, 14:23 #2
- Join Date
- Sep 2005
- Sydney, NSW, Australia
- 25 Post(s)
- 1 Thread(s)
Never use those two functions together.
htmlspecialchars should only be used when outputting fields into the HTML of a web page - a database is not a web page and so that function will break the content if used there.
mysqli_real_escape_string is an antiquated way of processing data so it can be jumbled with database commands - the better way is to keep the SQL and data completely separate using PREPARE and BIND statements instead of QUERY.
Neither of those commands will insert slashes into the actual data itself that is stored in the database so the origin of the slashes is elsewhere - prehaps the server has magic quotes enabled.