Stripping slashes from mysql_real_escape_string output in PHP

Question

I have something like this: $foo = mysql_real_escape_string($_GET["t"]) . Let's assume t = Stack's Overflow .

In this case, I echo $foo, and it would return something like Stack\\\\\\'s Overflow . How do I stop this behavior and have $foo equal what it would be if I hadn't escaped it?

Even with strip_slashes() I still get one last slash.

This is how my string goes:

1. Typed into search box
2. Posts to a file where it is mysql_real_escape_string()'d
3. Redirects to search?term=string
4. mysql_real_escapes it again in case of $_GET manipulation
5. Searches through database for that string. It is stored mysql_real_escape_string()'d from when it was created. So it would look like Stack\\'s in the database.

The string gets all the way to the last page as Stack\\'s (which is what it should be). However, the query returns no results like that, even though that's the exact way it looks in the database.

Also, it screws up when it hits an ampersand. Like if I had t = Stack & Overflow then it would only store Stack in the variable $foo.

Answer 1

在转义之前禁用GET变量中的魔术引号或条带斜杠。

Answer 2

Assuming you have already disabled magic_quotes (as of php 5.2.0, default) it may simply be that you are escaping your your output more than once.

It may help to just check for that, since the purpose of the function is to put, literally, the same data in the db, as you mean, rather than odd characters that will be misinterpretted on retrieval.