broken links and styles on form post to mysql, is it because of mysql_real_escape_string?

Question

in order to keep safe was told to

use mysql_real_escape_string before sending to Mysql if i'd be displayed

well i do:

....

   $b = mysql_real_escape_string($b);
   $r_int = mysql_real_escape_string($r_int);
   $r_ext= mysql_real_escape_string($r_ext);

   $id_tmp = $_SESSION['id'];
   $insert = "INSERT INTO table (nombre, coment, iduser,fecha)
                           VALUES ('$b','$r_int','$id_tmp',NOW())";
....

But if those values contained any <a href="where">go</a> it will turn into <a href="\where\">go</a>

and.. i can't go! haha,

how can i solve this and keep safe?

thank you!

Answer 1

stripslashes function of PHP

echo stripslashes($string);

takes out the slashes and displays it like it was originally

Answer 2

Sounds like you might have magic_quotes_gpc or one of its ilk turned on. Older PHP versions auto-escaped everything, so by doing mysql_real_escape_string() (as you should be), you actually added another layer of escaping.

The proper solution is to turn off the magic quotes. They're deprecated and SHOULD be off, and you keep on using mysql_real_escape_string().

NOTE: Turning off magic_quotes has to be done from php.ini, or via a php_value in httpd.conf/.htaccess. You can't do it from an in-script ini_set(), because by the time that ini_set executes, PHP's already done the magic quoting.