Unescaping an Escaped Entry

lovinlazio9

Hi Everyone, I was wondering how to unescape an escaped database entry if that makes sense. When they fill out a comment form, it shows up with words like..."that/'s the reason I/'m doing this" if that makes sense...i want to remove the "/" and I assume its doing that b/c I had to escape the text box when they enter info into the database....anything would help thanks!

Houdini

Actually it would look more like
"that\'s the reason I\'m doing this" and that is done by adding slashes to reverse it you would use stripslashes(). See how in the Manual!

bradgrafelman

lvinlazio9 wrote:
and I assume its doing that b/c I had to escape the text box when they enter info into the database

You mean the data you get back from the DB has the backslashes in it? If so, then you didn't insert the data properly.

I'm guessing you either called [man]addslashes/man/[man]mysql_real_escape_string/man twice (or one of each) OR used one of the functions after magic_quotes_gpc had done its job. For this reason, it is advisable to escape items in this manner:

if(!get_magic_quotes_gpc() {
    $name = (isset($_POST['name']) ? addslashes($_POST['name']) : '');
    $text = (isset($_POST['text']) ? addslashes($_POST['text']) : '');
} else {
    $name = (isset($_POST['name']) ? $_POST['name'] : '');
    $text = (isset($_POST['text']) ? $_POST['text'] : '');
}

I usually disable magic_quotes_gpc as well as use the above code. Why? Not only does it make your code portable (or simply withstand configuration changes the sysadmin makes at any time) but forces me to have better coding habits. Is it wise to rely on magic_quotes_gpc being there as opposed to constantly being aware of what data needs to be escaped (and ensuring it's done properly since you have to use the addslashes/mysql_real_escape_string functions yourself)? Personally, I choose the latter of the two.

lovinlazio9

thanks guys....stripslashes works!

sid

bradgrafelman wrote:

if(!get_magic_quotes_gpc()) {
   //stuff    

}

SCNR :-P