A better way to clean data before writing to database

Question

I'm using PHP and MySQL to power a basic forum. When users use the apostrophe (') or insert links into their post, the mysql_real_escape_string function is adding \ to the text. When displaying the post, the links don't work, and all the apostrophe's have a \ before it.

Is the problem that I am not doing something before outputting the text or is the issue that I'm not cleaning the data properly before writing to MySQL?

Answer 1

Are magicquotes turned on? You can check quickly by creating a PHP page like so:

<?php var_dump(get_magic_quotes_gpc()) ?>

If the page says something like int(1), then the culprit isn't mysql_real_escape_string, but PHP itself. It was a security feature, but not very secure, and mostly just annoying. Before you sanitize each variable, you first need to undo the slashing with stripslashes.

Answer 2

You can also turn off magic quotes by using this:

if ( version_compare(PHP_VERSION, '5.3.0', '<') ) {
    set_magic_quotes_runtime(0);
}

It will turn magic quotes off when your server is running any version of php less than 5.3.0.