Decoding mysql_real_escape_string() for outputting HTML

Posted by Peter on Stack Overflow See other posts from Stack Overflow or by Peter
Published on 2010-04-04T02:17:34Z Indexed on 2010/04/04 2:23 UTC
Read the original article Hit count: 266

Filed under:

sql-injection

|

html-entity-decode

|

mysql-real-escape-string

|

decode

I'm trying to protect myself from sql injection and am using:

mysql_real_escape_string($string);

When posting HTML it looks something like this:

<span class="\&quot;className\&quot;">
<p class="\&quot;pClass\&quot;" id="\&quot;pId\&quot;"></p>
</span>

I'm not sure how many other variations real_escape_string adds so don't want to just replace a few and miss others... How do I "decode" this back into correctly formatted HTML, with something like:

html_entity_decode(stripslashes($string));

Related posts about sql-injection

Is this query vulnerable to sql injection?

as seen on Stack Overflow - Search for 'Stack Overflow'
$myq = sprintf("select user from table where user='%s'", $_POST["user"]); I would like to know if the above query can be exploited using SQL injection. Is there any advanced SQL injection technique that could break sprintf for this particular query? >>> More
10 Ways to Prevent or Mitigate SQL Injection Attacks

as seen on Internet.com - Search for 'Internet.com'
SQL injection attacks could allow hackers to compromise your network, access and destroy your data, and take control of your machines. >>> More
10 Ways to Prevent or Mitigate SQL Injection Attacks

as seen on Internet.com - Search for 'Internet.com'
SQL injection attacks could allow hackers to compromise your network, access and destroy your data, and take control of your machines. >>> More
Database Activity Monitoring Part 2 - SQL Injection Attacks

as seen on SQL Server Central - Search for 'SQL Server Central'
If you think through the web sites you visit on a daily basis the chances are that you will need to login to verify who you are. In most cases your username would be stored in a relational database along with all the other registered users on that web site. Hopefully your password will be encrypted… >>> More
SQL Server SQL Injection from start to end

as seen on SQL Team - Search for 'SQL Team'
SQL injection is a method by which a hacker gains access to the database server by injecting specially formatted data through the user interface input fields. In the last few years we have witnessed a huge increase in the number of reported SQL injection attacks, many of which caused a great deal… >>> More

Developer IT

Decoding mysql_real_escape_string() for outputting HTML - Developer IT

Decoding mysql_real_escape_string() for outputting HTML

sql-injection

html-entity-decode

mysql-real-escape-string

decode

Related posts about sql-injection

Is this query vulnerable to sql injection?

10 Ways to Prevent or Mitigate SQL Injection Attacks

10 Ways to Prevent or Mitigate SQL Injection Attacks

Database Activity Monitoring Part 2 - SQL Injection Attacks

SQL Server SQL Injection from start to end

Related posts about html-entity-decode

Decoding mysql_real_escape_string() for outputting HTML

Categories cloud