urlencode()/urldecode()

Guys,

I have a question regarding the urlencode/decode functions.

I have a page that allows users to submit a text block. I am encoding this before instering into the database. Then, when displaying back onto the page, i am decoding.

The problem I am having specifically (although I'm sure it will affect other characters) is with the ' character. If I add "don't", when decoding out, it reads "don\'t".

Is there a built-in funciton to correct these (or an alternative to urlencode/decode) or do I need to create my own clean-up function?

Thanks,
C.

i don't realy see what escaping the quote has to do with urlencode() ...

i think you're looking for addslashes(), stripslashes() and possibly mysql_real_escape_string(). you migt also wanna check out get_magic_quotes_gpc()
Take a look at example 3 at http://uk.php.net/manual/en/function.mysql-real-escape-string.php

you can find more info on the other functions by following the 'see also' links on that page.

Predefined function: stripslashes()

The stripslashes() works great thanks.

I'm also using the mysql_real_escape_string() for all my database calls now - is this sufficient to prevent against sql injections or do you guys recommend further measures?

C.

i wouldn't rely only on escaping the 'bad' characters.

the general rule is that you check all input from the user as soon a possible. Doesn't realy matter if you are gonna use it in a query or not...
so all data the user posts and all querystring and cookievalues should be tested on their valueformat (if you expect a numerical value, then check if it is indeed a numerical, if you expect a text of maximum 10 characters, then check that it isn't longer, if you expect a value from a limited list of option, then check if the received value is part of that list etc).

also: limit the risk of having your mysql-accountdata exposed by for instance storing your connectioncode in a page that is stored above the webroot. you then include this page when you need to open a connection.
and limit the possible consequences of an sql-injection by only giving the mysql-account that you use for PHP the strict minimum of permissions that it needs.