Home/ Questions/Q 8918055
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T05:39:16+00:00

I am trying to protect against sql injections by using mysql_real_escape_string before inserting data

  • 0

I am trying to protect against sql injections by using mysql_real_escape_string before inserting data to the database:

$data=mysql_real_escape_string($_POST['data']);

Now, the data is stored as such:

That\\\'s an apostrophe.\r\n\r\nThis new line isn\\\'t displaying properly!

So, I am trying to get it to display correctly inside of a textarea after pulling it back out of mysql:

$data = nl2br($data);

For whatever reason, this does NOTHING. I’ve even tried str_replace to replace the \r\n's with a <br>, but then the <br> just displays within the textarea.

How do I get what’s in my mysql to display as:

That's an apostrophe.

This new line isn't displaying properly!
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    you probably have magic_quotes turned on,
    check it with
    echo get_magic_quotes_gpc()
    or else you will double quote

    "Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ‘ (single-quote), " (double quote), \ (backslash) and NUL’s are escaped with a backslash automatically. "

    by the way, it’s not a good ideia to use magic_quotes, try using one of this classes.

    PDO https://www.php.net/manual/en/book.pdo.php
    or mysqli https://www.php.net/manual/en/book.mysqli.php

    • 0