Escaping quotes before MySQL

Question

Here I have a script to validate description that users pass:

if(strlen($_POST['descriprtion']) >250) {
    //Some error code here
} else { 
$description = $mysqli->escape_string(htmlentities(trim($_POST['description']))); }

Now, I test with the description with I'm testing. I would give me something like this when I print out the page:

As you can see, there's a black slash before the single quote.

I was considering using stripslashes(), but where should I use it?

possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — CBroe, Feb 06 '14 at 05:02
Could be [due to magic quotes](http://stackoverflow.com/q/3006407/53114). — Gumbo, Feb 06 '14 at 06:07

Alireza Fallah · Accepted Answer · 2014-02-06T05:10:51.440

1

Use stripslashes() when you want to echo the variable.

echo $var;                 // --> I\'m testing. Not funny.
echo stripslashes($var);   // --> I'm testing. Not funny.

Working dmeo

edited Feb 06 '14 at 05:10

answered Feb 06 '14 at 05:02

Alireza Fallah

4,609
3
31
57

1

Thanks. I've just switched to prepared statements, too. And although I didn't escape it. It still returns slashes. So basically, I still need to `stripslashes` and use prepared statements – potasmic Feb 06 '14 at 05:19

Escaping quotes before MySQL

1 Answers1