5

I have some pages that are stored in databases. For security purposes, all the pages is escaped before saved into the DB, but then when i print the page, the HTML-tags are still escaped. Like this

<a href=\"mypage.se\" alt=\"\">Link</a>

Obviously, that doesn't work very well, so how do i unescape the pages? I've tried with html_entity_decode without any success.

Anton Gildebrand
  • 3,411
  • 12
  • 45
  • 82
  • 3
    Why does your `` element have an `alt` attribute? – Quentin Apr 30 '12 at 09:44
  • 1
    Your "security purposes" should not mean that content is escaped when it is *stored* in the database — only that it is escaped for the query. If your database fields contain backslashes then I would consider revisiting your saving mechanism – cmbuckley Apr 30 '12 at 09:48
  • Oh, my mistake. Ofc ot doesn't have an Alt attribute – Anton Gildebrand Apr 30 '12 at 10:44
  • 1
    No, you are undermining the security of your application not enhancing it. You should only change the representation of data at the point whrere it leaves PHP, and the new representation should be apprporiate to where the data is going. Your current insert operation is fundamentally flawed. Trying to fix the problem when you retrieve the data does not help. – symcbean Apr 30 '12 at 11:44

4 Answers4

10

While data should be escaped before inserting it into the database, it shouldn't still be escaped when you take it out. The root cause of your problem is that it is being escaped twice between collection and examining it after it comes out of the database.

You should track down why it is being escaped twice and fix that.

That may leave the existing data broken though (it depends on if the data is being escaped twice on the way in or if it is being escaped on the way out of the database with magic_quotes_runtime). If so, you will need to clean it up. That form of escaping has nothing to do with HTML and can be reversed with stripslashes.

The clean up will look something like:

  1. SELECT * from database_table
  2. Create a prepared UPDATE statement to update a row
  3. foreach row stripslashes on the data that was double escaped, pass the data to the prepared statement
Community
  • 1
  • 1
Quentin
  • 800,325
  • 104
  • 1,079
  • 1,205
4

Use stripslashes(): http://uk3.php.net/manual/en/function.stripslashes.php

Tom Hallam
  • 1,848
  • 14
  • 23
0

Use stripslashes($str) for retrieve the content and remove slashes added during insert content into database.

thanks

Er. Anurag Jain
  • 1,682
  • 1
  • 11
  • 19
-3

mysql database input strings should always be escaped using mysql_real_escape_string() and when they come out, they should be unescaped using stripslashes(). for numbers like id's, those should be converted to integers using int() and then range checked: for instance, AUTO_INCREMENT columns like id's by default start with 1. so for a validation check on anything you get from $_GET[] or $_POST[], check that your int()'ed number is >= 1. filter all your integers through int(). filter all your real numbers through doubleval(), unless you are working with monetary values and you have your own decimal number class - floating point can mangle money.

Jim Michaels
  • 669
  • 5
  • 9
  • 1
    use of `mysql_real_escape_string` on the input does not mean you need `stripslashes` on the output; the escaping is done for the query, not what is stored in the database. For example `INSERT INTO table VALUES ('Peter O\'Toole')` results in the field containing `Peter O'Toole` (no backslashes). `SELECT * FROM table` will also contain no backslashes. – cmbuckley Apr 30 '12 at 09:55
  • 1
    And you shouldn't use `mysql_real_escape_string`. PDO and bound arguments are a better approach. I don't understand why you went off on a ramble about ids and currency though, the question is about HTML. – Quentin Apr 30 '12 at 10:29