[RESOLVED] Reversing mysqli_real_escape_string?

jpoladsky

For my CMS I am using TinyMCE for a text editor to edit just the text put on a site. So people with limited html knowledge can still edit the content effectively.

My issue is that I have it set up so the content is stored in the database, and to prevent sql injection it is run through the mysqli_real_escape_string before it is stored in the database. I also have it run through stripslashes, because otherwise when you reopen it with TinyMCE for whatever reason it messes up the urls in links...😕

In anycase after being stored in the database my end result is the html script...and a bunch of leftovers from the mysqli_real_escape_string. Is there anyway to reverse what the mysqli_real_escape_string inserts into the code when it is printed on the site, and when it is printed in the editor?

NogDog

The slashes from the escape function do not end up in the database, just as the slashes used to escape quotes within a PHP quoted string do not get output in an echo statement. If you have backslashes inserted into your actual data, then most likely your system has magic_quotes_gpc turned on, and therefore your escape function is escaping the backslashes inserted by magic quotes.

The best solution would be to turn off magic_quotes_gpc if possible, otherwise use stripslashes() on the input data before applying mysqli_real_escape_string() to it. You can use the [man]get_magic_quotes_gpc/man function to test if it is turned on, e.g.:

if(get_magic_quotes_gpc())
{
   foreach ($_POST as $key => $val)
   {
      $_POST[$key] = stripslashes($val);
   }
}

sneakyimp

sounds to me like you are not running your mysql_real_escape_string and stripslashes at the right time. I'm not really sure what the data flow is in your site though so it's difficult to figure it out.

If you organize your code properly, it should never be necessary to reverse mysql_escape_string. I'm not sure why you are using stripslashes but my guess is that you are trying to reverse magic_quotes. You should be more careful about that too.

Generally speaking, you should only use stripslashes to get rid of magic quotes if [man]get_magic_quotes_gpc[/man] returns true.

Also, you should only run [man]mysql_real_escape_string[/man] ONCE on your data RIGHT BEFORE you insert it into your database and ONLY AFTER you have already stripslashed the text and ONLY IF the field is a text field.

jpoladsky

I must have not explained myself very well.
The stripslashes is being used to escape the magic_quotes.

if (isset($_POST['submitted'])) {

$errors = array();

if (empty($_POST['content'])) {
$errors[] = 'You have to write something...';
} else {
$t2 =mysqli_real_escape_string($dbc,$_POST['content']); 
$t = stripslashes($t2);
}	


if (empty($errors)) { // If everything's OK.

	// Make the query:
	$q = "UPDATE content SET text=?  WHERE content_id=$id LIMIT 1";
	$stmt = mysqli_prepare($dbc, $q);
	mysqli_stmt_bind_param($stmt, 's', $t);
	mysqli_stmt_execute($stmt);

the end result though will have r's and n's throughout the code from the mysqli_real_escape_string
I have tried it where it goes through the stripslashes first and then the mysqli_real_escape_string but it won't run the query for some reason..

laserlight

Use stripslashes() before using mysqli_real_escape_string(), and only if get_magic_quotes_gpc() returns true. Actually, you do not need to use mysqli_real_escape_string() since you are using a prepared statement.

jpoladsky

laserlight;10881017 wrote:
Use stripslashes() before using mysqli_real_escape_string(), and only if get_magic_quotes_gpc() returns true. Actually, you do not need to use mysqli_real_escape_string() since you are using a prepared statement.

when I put the stripslashes before it won't run the query to insert it into the database for some reason.

I thought you were always supposed to use mysqli_real_escape_string() when inputing data into the database?

NogDog

The bind_param function does its own escaping as applicable, so if you escape_string the value first, you are, in effect, escaping it twice.

jpoladsky

Oh wow! haha thank you!

Kudose

🙂

If this thread is resolved, please use the thread tools to mark it so.