0

Hello I have following string in my variable

Hello@I am "good" too

I am using mysql_real_escape_string() when i am saving to database

So in database value saved as follows

Hello@I am \"good\" too

Now when I fetch this value back from database to input field (for updation purchase) like below

<input type="text" name="field_name" value="<?php echo $edit_data['my_field'];?>">

it only shows Hello@I am \

What string escape function i should use?

I tried stripslashes() but then it only shows Hello@I am

Manoj
  • 477
  • 5
  • 8
  • 19
  • 1
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared statement and parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jul 06 '16 at 09:32
  • 3
    Please dont use [the `mysql_` database extension](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php), it is deprecated (gone for ever in PHP7) Specially if you are just learning PHP, spend your energies learning the `PDO` database extensions. [Start here](http://php.net/manual/en/book.pdo.php) its really pretty easy – RiggsFolly Jul 06 '16 at 09:32
  • Thats because your html element allready has double quotes. value="" – RFLdev Jul 06 '16 at 09:33
  • thanks @RiggsFolly will surely look at PDO, but right now my issue is with string (to show in input field again) – Manoj Jul 06 '16 at 09:34
  • Yes i know @RFLdev but if i use single quote then there will be a issse when there is a single quote in string – Manoj Jul 06 '16 at 09:35
  • "So in database value saved as follows" — The slashes are escape characters for the SQL statement. If they appear in the data you are getting out of the database than something is wrong. – Quentin Jul 06 '16 at 09:37
  • did you try to just write your input without anyquote/double quote ? `>` – Jax Teller Jul 06 '16 at 09:38
  • guys i got my answer, thanks @Quentin for redirecting me to helpful link, we can use `htmlspecialchars()` – Manoj Jul 06 '16 at 09:39
  • @A.Rossi — Then the first space would terminate the attribute value. – Quentin Jul 06 '16 at 09:40

0 Answers0