PHP escaped characters

[Nightasy]

Greetings all,

 

I have a question about escaping characters prior to entering a field into a database and than echo'ing that escaped data back onto a page. My problem is that the slash marks are echo'ing out of the database onto another page.

 

For instance if I were to do something along the lines of:

$hpintrotitle = mysqli_real_escape_string($connect, trim($_POST['hpintrotitle']));

$q = "UPDATE homepage SET mstitle='$hpintrotitle' WHERE msid='1' LIMIT 1";
$r = @mysqli_query($connect, $q);

If I place the word "You've" or "Isn't" into that field when I echo it out from the database it comes back as "You\'ve" or "Isn\'t"

 

I know this is probably basic stuff but I apparently missed this lesson in school. Any help would be appreciated.

 

Side note: I am bringing this data back as an array using something along these lines:

$rowintro = mysqli_fetch_array ($rintro, MYSQLI_NUM);

echo $rowintro[0];
echo $rowintro[1];

and so on....

 

Thanks for taking a look.

[Nightasy]

Well, apparently stripslashes solves this issue. Are there other ways besides stripslashes or preg_replace?

[AbraCadaver]

You're vars are coming from $_GET or $_POST?  If so then magic_quotes_gpc is enabled and adds slashes before populating the get or post vars.  Normally you'd disable magic_quotes_gpc and not rely on them, but if they happen to be enabled then you could do this in a main included file that is executed before any code that uses get or post vars:

if(get_magic_quotes_gpc()) {
   $_GET = array_map('stripslashes', $_GET);
   $_POST = array_map('stripslashes', $_POST);
   $_COOKIE = array_map('stripslashes', $_COOKIE);
}

Similarly there is magic_quotes_runtime.

Edited October 8, 2013 by AbraCadaver