0

When a ' is typed into a text field for example, PHP puts a \ before it.

I'm using the following for filtering:

$comment_body = $_POST['comment_body'];
$comment_body = nl2br(htmlspecialchars($comment_body));
$comment_body = mysqli_real_escape_string($db_conx,$comment_body);

How do I stop this slash from appearing?

Improve this question
3
  • The mysqli_real_escape_string function call escapes the single quote with the backward slash to prevent SQL injection. Commented Aug 3, 2013 at 20:45
  • that is what your mysqli_real_escape_string is doing. It is supposed to be that way Commented Aug 3, 2013 at 20:45
  • I know that, but I've used it on other sites and the \ isn't posted into the database. Is there a way I can stop it from been posted or a way to stop it from been displayed with the \ without removing the mysqli_real_escape_string? Commented Aug 3, 2013 at 20:47

3 Answers 3

Reset to default
1

You should use sanitization with regards to context:

When saving to database use only mysqli_real_escape_string(). When outputing varible to HTML then just go with htmlspecialchars().

Automatic adding of slashes might be due to the settings of magic_quotes_gpc, which is already removed in newer versions of PHP, but you can check your settings in phpinfo();

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I agree you don't want to store the results of htmlspecialchars and nl2br.
0

The is what mysqli_real_escape_string does. This should only be used when putting the data into a database. If you are going to output the $comment_body just leave off the last line of the snippet. If you are getting double escaping happening it is probably the result of the magic quotes configuration directive.

Improve this answer

7 Comments

I know that, but I've used it on other sites and the \ isn't posted into the database. Is there a way I can stop it from been posted or a way to stop it from been displayed with the \ without removing the mysqli_real_escape_string? I am actually inserting this into the database by the way
That's what's happened then, the server was updated to the latest version of PHP. Is there a way I can hide the \ when querying out of the database?
@James ... that wouldn't be it then magic quotes where removed in 5.4
Actually, my bad, it runs 5.4 @Orangepill
@james is it possible someone on the site fixed for the absence of magic quotes by doing something like $_POST = array_map("addslashes", $_POST);?
|
0

It may probably be because you have magic quotes on : magic_quotes_gpc If that is the case you can disable it using this

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.