How do I retrieve "escaped" strings from db?

Question

I'm doing this to all strings before inserting them:

mysql_real_escape_string($_POST['position']);

How do I remove the: \ after retriving them?

So I don't end up with: \"Piza\"

Also is this enough security or should I do something else?

Thanks

...though ***really,*** you should just use `PreparedStatement` instead of `mysql_real_escape_string()`. — Matt Ball, Jul 30 '11 at 01:29
there shouldn't be any slashes on it after retrieving it back from the database, unless you've double escaped it. @Matt: why? if he properly escapes everything, what difference does it make? (i'm honestly curious) — mpen, Jul 30 '11 at 01:42
@Mark see the [`sql-injection` FAQs](http://stackoverflow.com/questions/tagged/sql-injection?sort=faq). Start with these: http://stackoverflow.com/questions/60174 http://stackoverflow.com/questions/110575 http://stackoverflow.com/questions/714704 — Matt Ball, Jul 30 '11 at 02:00

score 2 · Answer 1 · answered Jul 30 '11 at 01:27

I would suggest you call $_POST['position'] directly (don't call mysql_real_escape_string on it) to get the non-escaped version.

Incidentally your comment about security suggests a bit of trouble understanding things.

One way of handling strings is to handle the escaped versions, which leads to one kind of difficulty, while another is to handle another and escape strings just before embedding, which leads to another kind of difficulty. I much prefer the latter.

score 1 · Answer 2 · answered Jul 04 '12 at 22:03

It could be because magic quotes are enabled, so to make it versatile, use this:

if (get_magic_quotes_gpc()) { // Check if magic quotes are enabled
        $position = stripslashes($_POST['position']);
    } else {
        $position = mysql_real_escape_string($_POST['position']);
}

Sabeen Malik · Accepted Answer · 2011-07-30T01:37:06.113

1

use stripslashes() to get rid of the escape character.

Escaping is great. In case the value is going to be integer , I would suggest you do it like:

$value = (int) $_POST['some_int_field'];

This would make sure you always end up with an integer value.

edited Jul 30 '11 at 01:37

answered Jul 30 '11 at 01:28

Sabeen Malik

10,816
4
33
50

score 0 · Answer 4 · answered Jul 30 '11 at 04:42

0

mysql_real_escape_string() does add \s in your SQL strings but they should not be making it into the database as they are only there for the purpose of string parsing.

If you are seeing \s in you database then something else is escaping your stings before you call mysql_real_escape_string(). Check to make sure that magic_quotes_gpc isn't turned on.

answered Jul 30 '11 at 04:42

Night Owl

4,198
4
28
37

I'm using PHPMyAdmin, how do I find if it's turned on? – lisovaccaro Jul 31 '11 at 04:08
I'm not sure that that setting is visible in phpMyAdmin but creating a page with this single line... `` and running it on your server will show all of your PHP settings. Search for "magic_quotes_gpc" without the quotes and you will see either "On" or "Off". This page will be a slight security hazard so delete it after you use it or give it a cryptic name. – Night Owl Aug 02 '11 at 05:27

How do I retrieve "escaped" strings from db?

4 Answers4

Linked