Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How do prevent sql injection in php but still show ” and ‘? A the moment I am using
$input = strip_tags($input);
$input = htmlentities($input);
However the output is \” and \’. Is there anyway I can show ” and ‘ without the slashes but keep them there so I don’t get injected?
First, that code is not stripping backslashes, of course they’re still there. Use stripslashes() to take out backslashes, but DON’T DO IT.
If you see those slashes in the DB, and you HAVE USED mysql_real_escape_string, chances are you have magic_quotes_gpc on, and you’re just adding another set of slahses. Remove those auto added first and then apply mysql_real_escape_string, they won’t show this way but will still be there and make for a safe use in querying your DB.