Hello, I'm using ""mysql_real_escape_string" to protect my website, but all the DATA that users sent with the form got change. for examle, when they enter "Mike's files" the data in the DB changed to "Mike\'s files" How can I avoid that? BTW , 'm going to use "htmlspecialchars" too, will the data going to change too/again? Thank you in advance
That's how mysql_real_escape_string works. It encodes the data before it gets stored in your database to prevent problems. When you use mysql_real_escape_string, you need to use stripslashes() on the data when you retrieve it from your database. Good luck!
If I'll use "stripslashes" and than I'll print to the screen, there is a chance that harmfull/bad JS will activate...no?
mysql_real_escape_string escapes sql code. If you want to escape javascript, you'll need to do something different. Look up htmlspecialchars() at php.net
I'm going to use "htmlspecialchars" before printing the data to screen, but how do I fix the text that got change from, example, Mike's file to Mike\'s file ?
You use stripslashes() to change "Mike\'s file" back to "Mike's file". The function mysql_real_escape_string protects your database from malicious sql code, not the user's browser from malacious javascript code.