I am writing a code editor using CodeMirror. I am going to be saving Javascripts in a mySQL database. Because Javascript uses the ' symbol quite a bit, I have had to use mysqli->real_escape_string() on the textarea
input.
When I retrieve the source from the scripts table, it still has the escaped characters.
So, if i were to insert this:
this.update('something');
You would have
this.update(\'something\');
Is there some way to reverse the process?
Do you use mysqli prepared statements?
If so, you shouldn't use mysqli->real_escape_string() then
If don't - then you have magic_quotes_gpc on and you have to turn it off
You can always try using stripslashes().
It is weird though that your real_escape_string doesn't work properly. It should not leave the slashes. It could be though that your host has magic_quotes_runtime turned on. You can turn it off with set_magic_quotes_runtime(0).
Maybe you are double escaping it by both using mysql_real_escape_string and addslashes?
The best practice though is to change your code to use bind variables, rather than using the string escaping.
Example:
$query = $mysqli->prepare( "UPDATE tablename SET favorite_color = ?, age = ?, description = ? WHERE user = ?" );
// we would have a bind looking like this:
$query->bind_param( 'sibs', 'red', 27, $some_blob, $variable );
$query->execute();
A decent explanation about this (and SQL Injection) can be found here.
real_escape_string(). Due to magic quotes or*slashes()for example.