{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ら.Afraid 的问题《Decoding mysql_real_escape_string() for outputting》','https://www.manongdao.com/q-212514.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to protect myself from sql injection and am using:
mysql_real_escape_string($string);
When posting HTML it looks something like this:
<span class="\"className\"">
<p class="\"pClass\"" id="\"pId\""></p>
</span>
I'm not sure how many other variations real_escape_string adds so don't want to just replace a few and miss others... How do I "decode" this back into correctly formatted HTML, with something like:
html_entity_decode(stripslashes($string));
I think a number of other answers missed the obvious issue...
You are using mysql_real_escape_string on the inputted content (as you should if not using prepared statements).
Your issue is with the output.
The current issue is that you are calling html_entity_decode. Just stripslashes is all you need to restore the original text. html_entity_decode is what is messing up your quotes, etc, as it is changing them. You actually want to output the html, not just plain text (which is when you would use html_entities, etc). You are decoding something you want encoded.
If you only want the text version to show up, you can use the entities. If you are worried about bad tags, use striptags and allow only the tags you want (such as b, i, etc).
Finally, remember to encode and decode in the proper order. if you ran mysql_real_escape_String(htmlentities($str)), then you need to run html_entity_decode(stripslashes($str)). The order of operations matters.
UPDATE: I did not realize that html_entity_decode also strips out slashes. It was not clearly documented on that page, and I just never caught it. I will still automatically run it though, as most html that I present I want left as entities, and even when I don't, I prefer to make that decision outside of my db class, on a case by case basis. That way, I know the slashes are gone.
It appears the original poster is running htmlentities (or his input program, like tinymce is doing it for him), and he wants to turn it back to content. So, html_entity_decode($Str) should be all that is required.
You got everything messed up.
mysql_real_escape_string don't need any decoding.
if you get your data back with slashes, it means that it has been escaped twice. And instead of stripping out the extra slashes you should just not to add them.
Not to mention that whatever escaping is obsoleted and you ought to
use prepared statements
instead of whatever escape string.
So, never escape, never decode.
The problem solved.
mysql_real_escape_stringis used to prevent SQL injection when storing user provided data into the database, but a better method would be to use data binding using PDO (for example). I always recommend using that instead of messing with escaping.That being said, regarding your question on how to display it afterwards - after the data is stored, when you retrieve it the data is complete and valid without any need to be "unescaped". Unless you added your own escaping sequences, so please don't do that.
use the following function to remove slashes while showing on HTML page:
stripslashes();
eg. $html=stripslashes($html); OR $html=stripslashes($row["fieldname"]);
Even if it's an old question... I've had the same problem than Peter Craig. In fact I've to deal with an old CMS. In order to prevent SQL Injection, all $_POST and $_GET values are "sql-escaped". Unfortunatly this is done in a central point so all your modules are receiving all data sql-escaped! In some cases you want to directly display these data so you face a problem: how to display a sql-escaped string without gettng it from DB? The answer is: use stripcslashes (NOT stripslashes!!)
http://php.net/manual/en/function.stripcslashes.php
The mysql_real_escape_string() manual page tells you which characters are escaped:
You could successfully reverse the escaping by replacing those escaped characters with their unescaped forms.
mysql_real_escape_string()shouldn't be used to sanitize HTML though... there's no reason to use it before outputting web page data. It should only be used on data that you're about to put into the database. Your sanitization process should look something like this:Input
mysql_real_escape_string()Output
htmlspecialchars()before printingUsing a different database driver such as MySQLi or PDO will allow you to use prepared statements, which take care of escaping most inputs for you. However, if you can't switch or take advantage of those, then definitely use
mysql_real_escape_string()... just only use it before inserting data.