I Think Mysqli_Real_Escape_String Removes Too Much

[demiurgen]

I have downloaded the files from the first project in this book and installed locally.

Everything seems to work fine except when i try to add a page with a picture.

In TinyMCE the picture shows up but when i press the add new page button all the code in the text area goes through mysqli_real_escape_string and all the " around the image paths are escaped.

 

Can anyone tell me how to avoid this?

[Larry]

First of all, mysqli_real_escape_string() doesn't remove anything. Nothing at all. It ADDs slashes to potentially problematic characters, such as the quotation marks. I suspect perhaps that you have Magic Quotes enabled and your HTML is being doubly-escaped, which is causing the problem.

[angelsonearth]

Hello, friends! Please note that I have a question that is partially related to this inquiry. I believe that you would add slashes when inserting or updating code from, say a POST array from a form, into the MySQL database. So, for "inserts" and "updates", you would use add slashes or mysqli_real_escape_string? When else would you use the add slahes or mysqli_real_escape_string?

 

Also, I'm not sure when you would use the strip slashes function (or when you would reverse the mysqli_real_escape_string function if that is at all possible).

 

Please kindly advise!

[Larry]

You use mysqli_real_escape_string() for any string value used in any query, regardless of the type. The only time you would use the stripslashes() function is if extraneous slashes are being added, like if Magic Quotes is on. But Magic Quotes has been disabled and then removed, so...I pretty much never use stripslashes() anymore.