SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Zealot fredep57's Avatar
    Join Date
    Aug 2009
    Location
    Pacific Northwest
    Posts
    137
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    retreive MySQL data after mysqli_real_escape_string

    OK, somewhere this has been answered but my searching was not fruitful in finding it and I am new at the SQL injection stuff.

    I have a form where a user inputs some information. After the user clicks Submit, the form info is then checked for injection attacks as follows (there are 15 data inputs and this is the same way but only showing one):

    PHP Code:
    $variable1mysqli_real_escape_string(htmlspecialchars($_POST['variable1'])); 
    All goes OK as the check passes and the data is inserted into MySQL database. The hope is that if the user entered "another's information" (with the apostrophe) that the database entry would be "another\'s information" and is does show that way

    Now, I want to retrieve that data onto a webpage but do NOT want the slashes in it to show. I am not sure how to write the select statement to possibly use stripslashes or is there another/better way to do this?

    BTW, my provider is using PHP 5.2 but said I could upgrade to their 5.4 area if I want so would like to make this work at both levels.

    Thanks
    E

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,597
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Never use those two functions together.


    htmlspecialchars should only be used when outputting fields into the HTML of a web page - a database is not a web page and so that function will break the content if used there.

    mysqli_real_escape_string is an antiquated way of processing data so it can be jumbled with database commands - the better way is to keep the SQL and data completely separate using PREPARE and BIND statements instead of QUERY.

    Neither of those commands will insert slashes into the actual data itself that is stored in the database so the origin of the slashes is elsewhere - prehaps the server has magic quotes enabled.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •