I'm new to this forum, but anyway. I have this variable with slashes using mysql_real_escape_string ()
I want to remove the slashes away from the variable without removing the \r\n ect.

$title = mysql_real_escape_string( $_POST['title'] );

In the variable that is currently being inputed: Miki Koishikawa\\\'s ordinary life...
Input in the database (as you may already know): Miki Koishikawa\'s ordinary life...

As you can see what is left is the \'s

I can't use stripslashes () because that would remove the \ from \r\n and that would leave me with rn.

Help? ???

It looks like magic_quotes_gpc is on by default. You can use this function that strips the slashes if magic_quotes_gpc is on and then it uses mysql_real_escape_string
function escape_data ($data) {
global $dbc; // Need the connection.
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
}
return mysql_real_escape_string(trim($data), $dbc);
}
Usage:
$title = escape_data( $_POST['title'] );
Where $dbc is the connection being made using mysql_connect.

Warning: mysql_real_escape_string() expects parameter 2 to be resource, null given in ***/add.php on line 57

Which is return mysql_real_escape_string(trim($data), $dbc);

Umm yeah its giving you that because your variable that was assigned $mysql_connect() isn't called $dbc. If you still don't understand me then post your mysql_connect script without the username, host, and password.

Yeah I got it Thanks, wow it really works.

$dbc = mysql_connect ("localhost", "*username*", "Pass**") or die ('I cannot connect to the database because: ' . mysql_error());

Could you explain what this function does?

function escape_data ($data) {
global $dbc; // Need the connection.
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
}
return mysql_real_escape_string(trim($data), $dbc);
}

I thought I did?

Basically it accepts a string, and it uses the mysql_connect variable. It checks to see if the magic_quotes_gpc setting is true or false (1 or 0). If its true or 1 then it strips the slashes from the string and then it returns mysql_real_escape_string.

If magic_quotes_gpc is off then it just returns mysql_real_escape_string. Most servers have magic_quotes_gpc on just so it automatically escapes apostrophes.

Okay, thank you. :D ---> Thanked your post.

Updating my site again. Is there a security risk in using this function?

Why would there be? There would be a security risk if you don't use that function. Some may disagree about using globals but I'll let them argue that.