-1

After blinding params and insert data into the database, the quotaion are escaped to be \" so the output will looks ugly like : hello this is an output test \"test \"
how to make the quotation marks show normally ?

here is how i insert data to DB.

if( $_POST )
{
   include "db.php";

    $title = $_POST['title'];
    $content = $_POST['content'];

    if(strlen($title) >= 77) { die('large_title'); };
    if(strlen($content) <= 19) { die('low_content'); };
    if(empty($title)) { $title = 'EMPTY00'; }

 $stmt = $mysqli->prepare("INSERT INTO na_posts(title,content) VALUES (?, ?)");
 $stmt->bind_param("ss",$title,$content);
 $stmt->execute();
 $stmt->close();

      $content = htmlspecialchars(mb_substr($content, 0, 125,'utf-8'));
      echo $content.'...';
} else { die('error'); }

here is my outputting code: 

$content = nl2br(htmlspecialchars($row->content));
echo $content;
Alamri
  • 2,112
  • 2
  • 16
  • 21

2 Answers2

1

use stripslashes

$content = nl2br(stripslashes(htmlspecialchars($row->content)));
echo $content;
DevZer0
  • 13,433
  • 7
  • 27
  • 51
1

There is some code that is adding unnecessary slashes when you're inserting data in database.

It's either magic_quotes or some sort of addslashes()/mysql_real_escape_string() somewhere in the code. Get rid of either of them.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • None of them exist, i only used OPD blind_param to escape string. i duple checked again and the inserting is the only code you can see in the question. – Alamri Jun 28 '13 at 09:35
  • Well go check again. You know, there is no magic in this world and no slashes can pop out of nowhere. – Your Common Sense Jun 28 '13 at 09:37
  • @Alamri how come "none of them exist" if you have said in the other comments `"yes get_magic_quotes seems to be working"`?! – Your Common Sense Jun 28 '13 at 09:41
  • none of `addslashes()/mysql_real_escape_string()` exist. and yes get_magic_quotes is working.... please check my question i updated it with full code. – Alamri Jun 28 '13 at 09:47
  • i think i should tell my hoster he should feel bad for his PHP configurations. – Alamri Jun 28 '13 at 09:48
  • @Alamri **it is magic quotes what you need to get rid of**. you can do it yourself, without asking any hoster – Your Common Sense Jun 28 '13 at 09:54
  • @YourCommonSense for a while i thought magic is exist in webroot :) i already added in php.ini and htaccess the command to disable it but it seems not working that's why my hoster should feel lot of shame :) – Alamri Jun 28 '13 at 16:22
  • @YourCommonSense trust me that what i did, but i went into a loop of complications one of them http://stackoverflow.com/questions/517008/how-to-turn-off-magic-quotes-on-shared-hosting and the best solution is getting my own server. anyway thanks for the help. and thanks for comming back and try to help me again, that not what most of users do here. – Alamri Jun 28 '13 at 17:12
  • @Alamri **please** no silly excuses. There is a link with a **code snippet** which you **obviously able to run** to get rid of magic quotes without altering any server settings. So, it's apparently feasible for the **any** server. – Your Common Sense Jun 28 '13 at 17:14
  • @YourCommonSense i'm not being silly, i was in the link you gave me before, i did wrote that commands in php.ini , i modified htaccess and got 500 error then i tried the soultion in the question i gave to you(POST,GET,COOKIE). and that's it. no luck. the last chance is contacting them to see what going on or i'm leaving. i'm using stripslashes for now until i find a solution. – Alamri Jun 28 '13 at 17:31
  • @Alamri look, here is [direct link to the code](http://www.php.net/manual/en/security.magicquotes.disabling.php#example-344). This is a **regular PHP code** that have to be put not in php.ini, not in .htaccess but in your PHP script. – Your Common Sense Jun 28 '13 at 18:37
  • @YourCommonSense i might showed as a stupid in this question but i know where to put the php code :) that's why i said i will use `stripslashes` because i'm using it now and it's working ... but it will be good if i have the ability to configure the php the way i want. – Alamri Jun 28 '13 at 18:48
  • @Alamri there is the difference *where* to use stripslashes. – Your Common Sense Jun 28 '13 at 18:53