When I add a comment 开发者_如何学运维using the variable below, apostrophes are printed with a backslash in front of them. How can I get rid of the backslashes?
Thanks in advance,
John
Example of printed result:
My roommate\'s brother\'s ex-girlfriend\'s aunt drive a Toyota.
$comment = mysql_real_escape_string($_POST['comment']);
mysql_real_escape_string()
is adding backslashes, so you can inject your string safely into an SQL query -- this is acting as a protection against SQL Injections.
But this function should only be used when you want to build an SQL query -- not when you want to output something.
When you want to output a string to an HTML page, you'll generally use htmlspecialchars
or htmlentities
, to prevent XSS.
If you already have some backslashes before calling mysql_real_escape_string()
, it might be because of Magic Quotes -- if so, you might want to first call stripslashes()
on the input you get from the user, to not duplicate the backslashes.
from http://php.net/manual/en/function.mysql-real-escape-string.php
Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.
Isn't that exactly what mysql_real_escape_string
is supposed to do? If you're still seeing the slashes after inserting the data into the database and fetching it back, make sure the magic_quotes_gpc
server option is turned off.
精彩评论