phpmysqlckeditor

mysqli + ckeditor = escapes and breaking html


So I have been developing a little system in which, at a point, the user can type in some HTML into ckeditor, that HTML is then stored in a database (it's kind of a microCMS).

The problem is When using Mysqli, It inserts escape characters before and after " and ' in order to stop injection, logically, which breaks loads of HTML code.

for example

<i-mg src="http://www.example.com/logo.png" alt="fishcakes"></img>

becomes

<i-mg src=/"http://www.example.com/logo.png"/ alt=/"fishcakes"/></img>

or something close to that, which breaks the code

Is there a way I can disable the injection prevention, or input it into the database another way ? Or maybe replace the /" when it is being taken from the database?

EDIT : I have resolved the problem I replaced the /" by " using str_replace().

Here's the code:

$pagecontent = str_replace('\"', '"', $pagecontent);
echo $pagecontent;

Solution

  • If you're seeing these characters when you fetch data back out you're somehow double-escaping the content. Check that you're only escaping it once, and doing it with the placeholder and not mysql_real_escape_string. You haven't fixed the problem. You've un-done the damage of a serious bug.

    The purpose of SQL escaping is to insert the data correctly and reliably. For instance, O'Reilly should be O''Reilly for MySQL. The actual content in the database should be O'Reilly regardless of quoting.