mysql_real_escape_string does not escape "

Question

In PHP, I am escaping characters before insert in a MySQL database using mysql_real_escape_string

$array_to_insert = array_map('mysql_real_escape_string', $my_arr);
$mysql->setTbl("mytable");
$id = $mysql->insertArray($array_to_insert);

When saving, double quotes are being saved as escaped with a \. I do not want this, since some of the data is HTML and it may contain tags like <a href="www.stackoverflow.com"> etc, which will be saved as <a href=\"www.stackoverflow.com\"> and then displayed incorrectly in a WordPress setup.

I have read elsewhere on stackoverflow that to avoid escaping the double quotes, one must first insert (as above) then select and insert into a table again.

Is there a way to solve this issue without having to select and re-insert?

Thanks (note: the database I am using is in utf-8 format)

Where did you read that insert/select/insert? That's a terrible solution - simshaun's answer should just about cover it, since this does smell of a double-escaping issue. — HorusKol
– HorusKol, Commented Dec 8, 2011 at 23:19

simshaun · Accepted Answer · 2011-12-08 22:24:37Z

4

Your server may have magic_quotes enabled. Check it with

var_dump( get_magic_quotes_gpc() );

Otherwise, it's probably something you are doing beforehand or that your db library is doing. mysql_real_escape_string only escapes the string so that it is safe to use in a SQL query. It can't help if the string is already escaped to begin with.

answered Dec 8, 2011 at 22:24

simshaun

21.5k1 gold badge60 silver badges73 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

scorpio1441 Over a year ago

magic_quotes has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0. This is not the issue!

Magento Guy · Accepted Answer · 2011-12-08 23:17:39Z

2

You could always strip slashes on the way out using http://php.net/manual/en/function.stripslashes.php

for instance:

$sql = "SELECT * FROM table_name";
$result = mysql_query($sql) or mysql_error();
while ($output = mysql_fetch_assoc($result)) {
  echo stripslashes($output['column_name']);
}

alternatively, just remove all escaped double quotes:

echo str_replace('\"', '"', $output['column_name']);

edited Dec 8, 2011 at 23:17

answered Dec 8, 2011 at 23:11

Magento Guy

2,4851 gold badge17 silver badges13 bronze badges

Collectives™ on Stack Overflow

mysql_real_escape_string does not escape "

2 Answers 2

1 Comment

Comments

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

1 Comment

Comments

Related