-1

I inserted in database some HTML text after escaping them using mysql_real_escape_string, and I am trying to add them to XML document to be read by flash file, I am using DOMDocument class to make the XML document, here's my tries and outputs: try 1:

$descC = $doc->createCDATASection(stripslashes($sql['body']));
$desc = $doc->createElement('desc');
$desc->appendChild($descC);

output:

A lot of slashes !

try 2:

$desc = $doc->createElement('desc',htmlentities(stripslashes($sql['body'])));

output:

Also alot of slashes

Any ideas ?

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
Kareem Mohamed
  • 251
  • 3
  • 14
  • 1
    Where exactly does `$sql['body']` come from? From the database? If yes, it shouldn't have any slashes – Pekka Aug 12 '12 at 17:06
  • It comes from the database, It has slashes because I escaped it before inserting – Kareem Mohamed Aug 13 '12 at 00:12
  • 1
    @user1460518 — Escaping replaces characters with special meaning with escape sequences. It does not add slashes to the *data*. – Quentin Aug 13 '12 at 08:20

2 Answers2

0

I think magic quotes are enabled in your configuration.

you must check it before escaping vai mysql_real_escape_string() as it will add more slashes.

if(get_magic_quotes_gpc()){

$b = stripslashes($b);

}

$b = mysql_real_escape_string($b);

Abhishek
  • 838
  • 1
  • 6
  • 9
  • 1
    The proper solution would be to turn off magic_quotes to begin with, rather than slapping on a bandaid. – Marc B Aug 12 '12 at 17:38
0

It comes from the database, It has slashes because I escaped it before inserting

your data shouldn't have extraneous slashes when it comes out of the database; what is added when escaping the data shouldn't be visible in the final result, no stripslashes() should be necessary any more.

You most likely have a problem in the way you prepare your data for the database. Maybe show us that.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088