OK, somewhere this has been answered but my searching was not fruitful in finding it and I am new at the SQL injection stuff.
I have a form where a user inputs some information. After the user clicks Submit, the form info is then checked for injection attacks as follows (there are 15 data inputs and this is the same way but only showing one):
All goes OK as the check passes and the data is inserted into MySQL database. The hope is that if the user entered "another's information" (with the apostrophe) that the database entry would be "another\'s information" and is does show that way
Now, I want to retrieve that data onto a webpage but do NOT want the slashes in it to show. I am not sure how to write the select statement to possibly use stripslashes or is there another/better way to do this?
BTW, my provider is using PHP 5.2 but said I could upgrade to their 5.4 area if I want so would like to make this work at both levels.
Never use those two functions together.
htmlspecialchars should only be used when outputting fields into the HTML of a web page - a database is not a web page and so that function will break the content if used there.
mysqli_real_escape_string is an antiquated way of processing data so it can be jumbled with database commands - the better way is to keep the SQL and data completely separate using PREPARE and BIND statements instead of QUERY.
Neither of those commands will insert slashes into the actual data itself that is stored in the database so the origin of the slashes is elsewhere - prehaps the server has magic quotes enabled.
This topic is now closed. New replies are no longer allowed.