Storing and displaying code using mysql_real_escape_string();

Question

I'm creating a web page that will allow users to paste in their code and be given a unique URL to access it later. The problem is that I am using

mysql_real_escape_string($_POST['code'])

to prevent sql injection but at the same it adds slashes to the code which means when the code is displayed at a later date, it is spoiled (slashes everywhere.)

Is there a way to 'un-escape' it when displaying the code again?

Sorry if this seems unclear or obvious, this is my first project using php.

Please stop using `mysql_*` functions as they are [now deprecated](http://news.php.net/php.internals/53799). Use [MySQLi](http://php.net/manual/en/book.mysqli.php) or [PDO](http://php.net/manual/en/book.pdo.php) instead. — Jason McCreary, Jul 25 '12 at 16:29
Are you sure the slashes are from `mysql_real_escape_string()` or are they in `$_POST`? — Jason McCreary, Jul 25 '12 at 16:30
The only thing `stripslashes()` is an answer to is "how do I fix my goofed up data?". PHP should be configured properly in the first place to *not cause this*. — Ignacio Vazquez-Abrams, Jul 25 '12 at 16:31

score 1 · Accepted Answer · edited May 23 '17 at 12:21

1

It is echo stripslashes($code); you looking for? I think for added security you also have to like convert the special characters to html entities and strip all script tags if necessary to avoid xss attack.

See:

http://php.net/manual/en/function.htmlentities.php

XSS filtering function in PHP

edited May 23 '17 at 12:21

Community

1
1

answered Jul 25 '12 at 16:35

Johndave Decano

2,101
2
16
16

Storing and displaying code using mysql_real_escape_string();

1 Answers1