0

I use mysql_real_escape_string() before interting information in the database, but when I want to show the data from the database, ' is replaced with \'. So how can I get rid of that backslash? Is there a function that reverses mysql_real_escape_string()?

Florin Frătică
  • 587
  • 4
  • 7
  • 13
  • 3
    `mysql_real_escape_string()` doesn't add backslashes to the final data. There must be something else going on, like double escaping or magic quotes – Pekka Feb 28 '12 at 12:52
  • Right. Try disabling magic quotes in php.ini or with [this snippet](http://www.php.net/manual/en/security.magicquotes.disabling.php). If that doesn't work and you need a quick fix, you can use `stripslashes`. – Daniel Lubarov Feb 28 '12 at 12:52
  • 1
    I guess you've got `magic_quotes_gpc` enabled - turn it off. By the way, you should use [PDO](http://php.net/manual/en/book.pdo.php) as a database-access layer instead of `mysql_*()` functions. – Crozin Feb 28 '12 at 12:54

2 Answers2

2

You should off the magic_quotes although mysql_real_escape_string does not add any backslash in the database that it is used just to escape the string.

However you can use the stripslashes() to remove them but the more elegant solution is to off the magic_quotes

Shakti Singh
  • 84,385
  • 21
  • 134
  • 153
  • `mysql_real_escape_string` does add slashes, they're just removed by MySQL. The problem is that `mysql_real_escape_string` is escaping slashes (which presumably came from magic quotes) with more slashes. – Daniel Lubarov Feb 28 '12 at 12:56
  • @Daniel: Yes, that is just for escaping string and not stored in database – Shakti Singh Feb 28 '12 at 12:58
2
  1. There is NO [built-in] function to reverse mysql_real_escape_string.
  2. If you have only quotes but not linebreaks escaped - it is not mysql_real_escape_string to blame.
  3. Instead of stripping, you apparently have to make your code not to add them.
  4. There are 2 possible reasons for the slashes to appear:
    • magic_quotes_gpc is turned on. Just turn it off.
    • some extra-wise-data-sanitize function in charge. Get rid of it.
  5. Just to make sure: not whatever "information" but only strings (query parts enclosed in quotes) have to be escaped. For the any other query part escaping is useless and you have to find another way to protect them from SQL injection
Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345