Home/ Questions/Q 6644035
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T00:07:13+00:00

I’m using following function before insertion html markup data into db table function html($data,

  • 0

I’m using following function before insertion html markup data into db table

function html($data, $db)
{     
    $data = $db->escape_string($data);
    return $data;
}

But there is problem: i see “/” – slash before every ” symbol
For ex.

<p style=\"margin-top: 15px; margin-right: 0px; margin-bottom: 10px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 10px; padding-left: 0px; \">

How to deal with that problem?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No, it depends on what your escape_string() function does.
    And, moreover, wheter you have magic_quotes_gpc directive turned on or off (it should be off by default).

    In order to insert safely into a database, you need to use mysql_real_escape_string()
    . NO addslashes(), NO home-brewed functions, but that one. Or, even better, use parametrized queries which lifts off your work of escaping quotes. Try with PDO

    EDIT :

    saw now the mysqli tag, so mysql_real_escape_string() is not an option, but the magic_quotes directive could still be the culprit for this.

    In case you have magic_quotes on you can either turn them off in your PHP ini, through ini_set('magic_quotes_gpc',0); , .htacces php_flag magic_quotes_gpc Off or have a simple function like this:

    function escape($value)
{
  if(get_magic_quotes_gpc())
  {
    $value = stripslashes($value);
  }
  //return mysql_real_escape_string($value);  changed after update
  return $value;
}

    Be sure to have an open connection before using mysql_real_escape_string() or it will return FALSE.

    Also, html DOESN’T NEED TO BE ESCAPED before going into a database. I mean, you need to escape YOUR QUERIES, and you achieve that by the methods I mentioned. Html and its maliciousness DOES NOTHING to the database.

    Html needs to be escape ON OUTPUT, and only then, and you use htmlentities() at minimum, but further action is required in order to escape any possibile XSS injection vulnerabilities. It’s a complex subject, it requires a lot of work in order to escape invisible control characters, malicious tags, and so on. You need to make further reasearch into this , and start reading about XSS Injection threats.

    Anyway, not allowing a code to be executed on the browser is a start for this. Don’t allow users to write html directly on your page (the same advice applies not only on user-submitted inputs, but on everything that comes from outside, like a $_GET parameter, or a Cookie, or even hidden form values) or you’ll easily have a <script></script> dangerous problem, that can lead to cookie stealing, bad redirecting, traffic hijacking, an so many things I can’t list here. USually htmlentities() provides a good level of protection against that, even though its output mithgt not be pretty.

    • 0