Decoding mysql_real_escape_string() for outputting HTML

Question

I'm trying to protect myself from sql injection and am using:

mysql_real_escape_string($string);

When posting HTML it looks something like this:

<span class="\&quot;className\&quot;">
<p class="\&quot;pClass\&quot;" id="\&quot;pId\&quot;"></p>
</span>

I'm not sure how many other variations real_escape_string adds so don't want to just replace a few and miss others... How do I "decode" this back into correctly formatted HTML, with something like:

html_entity_decode(stripslashes($string));

Answer 1

You've got everything messed up.

mysql_real_escape_string doesn't need any decoding!

If you get your data back with slashes, it means that it has been escaped twice. And instead of stripping out the extra slashes you just shouldn't to add them in the first place.

Not to mention that whatever escaping is obsoleted and you ought to

use prepared statements

instead of whatever escape string.

So, never escape, never decode.
The problem solved.