2

I'm creating a web page that will allow users to paste in their code and be given a unique URL to access it later. The problem is that I am using 

mysql_real_escape_string($_POST['code'])

to prevent sql injection but at the same it adds slashes to the code which means when the code is displayed at a later date, it is spoiled (slashes everywhere.)

Is there a way to 'un-escape' it when displaying the code again?

Sorry if this seems unclear or obvious, this is my first project using php.

Improve this question
7
  • php.net/manual/en/function.stripslashes.php Commented Jul 25, 2012 at 16:27
  • 1
    Please stop using mysql_* functions as they are now deprecated. Use MySQLi or PDO instead. Commented Jul 25, 2012 at 16:29
  • Are you sure the slashes are from mysql_real_escape_string() or are they in $_POST? Commented Jul 25, 2012 at 16:30
  • The only thing stripslashes() is an answer to is "how do I fix my goofed up data?". PHP should be configured properly in the first place to not cause this. Commented Jul 25, 2012 at 16:31
  • @Jason: They're in both. Whee! Commented Jul 25, 2012 at 16:31

1 Answer 1

Reset to default
0

It is echo stripslashes($code); you looking for? I think for added security you also have to like convert the special characters to html entities and strip all script tags if necessary to avoid xss attack.

See:

http://php.net/manual/en/function.htmlentities.php

XSS filtering function in PHP

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.