Decoding mysql_real_escape_string() for outputting HTML

Question

I\'m trying to protect myself from sql injection and am using:

mysql_real_escape_string($string);

When posting HTML it looks something like

Answer 1

The mysql_real_escape_string() manual page tells you which characters are escaped:

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

You could successfully reverse the escaping by replacing those escaped characters with their unescaped forms.

mysql_real_escape_string() shouldn't be used to sanitize HTML though... there's no reason to use it before outputting web page data. It should only be used on data that you're about to put into the database. Your sanitization process should look something like this:

Input

1. Accept user input from a form or HTTP request
2. Create database query using mysql_real_escape_string()

Output

1. Fetch data out of the database
2. Run any user-defined data through htmlspecialchars() before printing

Using a different database driver such as MySQLi or PDO will allow you to use prepared statements, which take care of escaping most inputs for you. However, if you can't switch or take advantage of those, then definitely use mysql_real_escape_string()... just only use it before inserting data.

Answer 2

Well, I took a stab at this the old fashion way and so far I am unable to see anything wrong with my approach. Obviously it's a bit crude but it gets the job done:

function mysql_unreal_escape_string($string) {
    $characters = array('x00', 'n', 'r', '\\', '\'', '"','x1a');
    $o_chars = array("\x00", "\n", "\r", "\\", "'", "\"", "\x1a");
    for ($i = 0; $i < strlen($string); $i++) {
        if (substr($string, $i, 1) == '\\') {
            foreach ($characters as $index => $char) {
                if ($i <= strlen($string) - strlen($char) && substr($string, $i + 1, strlen($char)) == $char) {
                    $string = substr_replace($string, $o_chars[$index], $i, strlen($char) + 1);
                    break;
                }
            }
        }
    }
    return $string;
}

This should cover most cases.

Answer 3

I was wondering why this routine doesn't have a accompanying decoder routine. Its probably interpreted by MySQL the exact same way as if it were not escaped. You get the un-escaped results when you do a $row=mysql_fetch_array($res, MYSQL_ASSOC)';

Answer 4

You got everything messed up.

mysql_real_escape_string don't need any decoding.

if you get your data back with slashes, it means that it has been escaped twice. And instead of stripping out the extra slashes you should just not to add them.

Not to mention that whatever escaping is obsoleted and you ought to

use prepared statements

instead of whatever escape string.

So, never escape, never decode.
The problem solved.

Answer 5

use the following function to remove slashes while showing on HTML page:

stripslashes();

eg. $html=stripslashes($html); OR $html=stripslashes($row["fieldname"]);

Answer 6

Even if it's an old question... I've had the same problem than Peter Craig. In fact I've to deal with an old CMS. In order to prevent SQL Injection, all $_POST and $_GET values are "sql-escaped". Unfortunatly this is done in a central point so all your modules are receiving all data sql-escaped! In some cases you want to directly display these data so you face a problem: how to display a sql-escaped string without gettng it from DB? The answer is: use stripcslashes (NOT stripslashes!!)

http://php.net/manual/en/function.stripcslashes.php