1

Possible Duplicate:
PHP mysql_real_escape_string() -> stripslashes() leaving multiple slashes

I have a system that accepts user input to a survey and saves the answers to a MySQL database.
Before placing it in this database, it runs it through mysql_real_escape_string() to verify it is not injection unhappy.

Unfortunately when I output this content to my client in a textbox (just as it was entered) quotes single quotes / \ ... all are escaped - I know I know I asked for it, but I cant give the product out like this - how do I reverse these without risking losing the input people put of "2\3, 1\2"... stuff like that.

Is there a better way to sanitize?

Community
  • 1
  • 1
James Stafford
  • 1,034
  • 1
  • 15
  • 41
  • 2
    Is it possible you have magic quotes enabled? See here: http://stackoverflow.com/a/1201003/281469 – bcoughlan Oct 22 '12 at 02:05
  • magic quotes was on even though I turned it off before - my webhost has changed my server like 3 times now every time they reset my settings - someone is getting a new webhost next year :-) – James Stafford Oct 22 '12 at 02:20

2 Answers2

2

There's a much better way to ensure your input is sanitized. Don't escape at all, but use prepared queries with PDO instead.

SomeKittens
  • 38,868
  • 19
  • 114
  • 143
  • 1
    How is this helpful? The damage is already done and the OP is asking how to _fix_ it. – Michael Berkowski Oct 22 '12 at 02:06
  • He asked "Is there a better way to sanitize." – SomeKittens Oct 22 '12 at 02:07
  • It's crazy how many votes you get this days by just mentioning **PDO** . – Shoe Oct 22 '12 at 02:14
  • 1
    @jeffrey PHP is often a first choice for new programmers. Unfortunately, it is (arguably) the language which gives the programmer the most frequent opportunities to introduce security holes. PDO answers should most definitely be upvoted! – bcoughlan Oct 22 '12 at 02:42
0

If your MySQL string has something like myfield="Stafford\'s webhost sucks", MySQL knows that the backslash is intended as an escape character rather than a backslash, except when it is double-escaped.

If you see backslashes in your database which should have been escape characters, it means that your string is being escaped more than once. This could either be in your code, or in your case, having the deprecated magic quotes feature turned on. Magic quotes can be turned off via php.ini: https://stackoverflow.com/a/1201003/281469

Community
  • 1
  • 1
bcoughlan
  • 25,987
  • 18
  • 90
  • 141