0

My script has it so a user will enter in text, it will go into a MariaDB database and then come back out in the screen to simplify it. However, when a user enters ' or " it will go to the database as \' or \". I assume this is to prevent a MySQL injection attack but is there any way to prevent it from coming back on the screen escaped? My simplified code is

//$con is the connection
<?php
$msg = htmlentities(mysqli_real_escape_string($con, $_POST['message']));
$insert = $con->prepare("INSERT INTO `db` (message) values(?)");
$insert->bind_param("s", $message);
$insert->execute();

and then it will print it out on the screen from reading the database normally, nothing weird or unexpected.

Dharman
  • 30,962
  • 25
  • 85
  • 135
rockoversweden
  • 1
  • Using `mysqli_real_escape_string` is useless, as prepared statement does the same thing. – u_mulder Oct 17 '21 at 18:29
  • 1
    You're using a prepared statement. This is a Good Thing™, so you don't need to escape the data first. You shouldn't ever be using `htmlentities()` on data you're sending to the database. It's for output to the browser. – Tangentially Perpendicular Oct 17 '21 at 18:30
  • @TangentiallyPerpendicular you should make that an answer – ysth Oct 17 '21 at 19:00

0 Answers0