Some single-word entries in my database contain un-escaped apostrophes. When I display these words back to the screen, a backslash is inserted on the screen, so what should read Tom’s looks like Tom/'s.
How do I echo “$variable”; so what gets displayed matches what is in the database.
I understand the dangers of SQL injection, but it doesn’t, in this one particular case, apply. Any suggestions would be greatly appreciated.
Gonna be honest, you haven’t given us much to go on.
Unescaped apostrophes in your database is totally OK. But if they’re coming out in your HTML as backslash-escaped, then that tells us that somewhere between reading the value from the DB and echoing it out, you’re calling addslashes or mysql escape or something similar. That’s all we can say for sure.
I’m going to wager a guess that you have some sort of catch-all escape function. It probably stips tags, adds slashes, and calls htmlspecialchars. You probably use it both when inserting into your DB and when echoing HTML. Assuming this guess is correct, then this is your problem. The way we escape for SQL is different than the way we escape for HTML and different than the way we escape for JSON, for shell, and others. There’s no such thing as a one-size-fits-all escape function. If you’re outputting to HTML, then you need to escape for only HTML.
It’s an odd mix of PDO and mysqli and old mysql commands. You were right. I had addslashes on all the mysql queries. Changed them to stripslashes, and it displays fine.