Hello, I have a question.
So when I escape my data, quotations and apostrophes get backslashes.
Now if I replace the backslash with an empty character, would it be safe or would it break the rules of escaping the data?
Something like this.
<?php
// Include database
include('config.php');
$id = $mysqli->real_escape_string($_GET['id']);
$query = $mysqli->query("SELECT * FROM random_table WHERE id = '$id'");
while($row = $query->fetch_array(MYSQLI_BOTH)) {
$description = $mysqli->real_escape_string($row['description']);
$description_array = array('\\"' => '"', "\\'" => "'");
$description_replaced = strtr($description, $description_array);
// echo out the replaced data
echo $description_replaced;
}
?>
If the data in the row had a description of
Hello, I'm the admin of this website. I would love for you guys to try this out. My main quote is "Do what you can, not what you can't".
If you were to just output the description without escaping it. It would be
Hello, I'm the admin of this website. I would love for you guys to try this out. My main quote is "Do what you can, not what you can't".
But if you escaped the data, it would be
Hello, I\\'m the admin of this website. I would love for you guys to try this out. My main quote is \\"Do what you can, not what you can\\'t\\".
So what I’ve done is went and replaced the backslash with just the original content. So it would look like it was never escaped.
Does this break the escaping rules or is it safe to do so? I just was wondering since the data has already been escaped, users can’t query random data from the database. But by replacing the escaped output with replaced array, would it still be possible for them to SQL Inject or query random data?
And yes, I’m still looking into preparing my queries.