I have a piece of data that is large and will probably contain quotes and double quotes.
I'm using mysql_real_escape_string()
to store it safely.
When I pull it out to look at it, all the quotes are escaped. I tried using str_replace
to just get rid of all the quotes, but that turns \r\n
's into rn
. :(
How can I reverse it so the data comes back out the way it went in?
This extension was deprecated in PHP 5.5. 0, and it was removed in PHP 7.0.
The real_escape_string() / mysqli_real_escape_string() function escapes special characters in a string for use in an SQL query, taking into account the current character set of the connection.
mysql_real_escape_string ALONE can prevent nothing. Moreover, this function has nothing to do with injections at all. Whenever you need escaping, you need it despite of "security", but just because it is required by SQL syntax. And where you don't need it, escaping won't help you even a bit.
mysql_real_escape_string() and prepared statements need a connection to the database so that they can escape the string using the appropriate character set - otherwise SQL injection attacks are still possible using multi-byte characters.
Who says?
$keyword = "TEST'TEST";
$result1 = mysql_real_escape_string($keyword);
echo $result1 --> TEST\'TEST
$result2 = nl2br(stripslashes($result));
echo $result2 --> TEST'TEST
Do you use magic quotes?
Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function [mysql_real_escape_string] on data which has already been escaped will escape the data twice.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With