Escaping single quote in PHP when inserting into MySQL [duplicate]

You should be escaping each of these strings (in both snippets) with mysql_real_escape_string(). http://us3.php.net/mysql-real-escape-string The reason your two queries are behaving differently is likely because you have magic_quotes_gpc turned on (which you should know is a bad idea). This means that strings gathered from $_GET, $_POST and $_COOKIES are escaped for you (i.e., “O’Brien” -> … Read more

Unescape HTML entities in JavaScript?

Most answers given here have a huge disadvantage: if the string you are trying to convert isn’t trusted then you will end up with a Cross-Site Scripting (XSS) vulnerability. For the function in the accepted answer, consider the following: htmlDecode(“<img src=”https://stackoverflow.com/questions/3700326/dummy” onerror=”alert(/xss/)”>”); The string here contains an unescaped HTML tag, so instead of decoding anything … Read more

Escape quotes in JavaScript

You need to escape the string you are writing out into DoEdit to scrub out the double-quote characters. They are causing the onclick HTML attribute to close prematurely. Using the JavaScript escape character, \, isn’t sufficient in the HTML context. You need to replace the double-quote with the proper XML entity representation, &quot;.

Unescape HTML entities in JavaScript?

Most answers given here have a huge disadvantage: if the string you are trying to convert isn’t trusted then you will end up with a Cross-Site Scripting (XSS) vulnerability. For the function in the accepted answer, consider the following: htmlDecode(“<img src=”https://stackoverflow.com/questions/1912501/dummy” onerror=”alert(/xss/)”>”); The string here contains an unescaped HTML tag, so instead of decoding anything … Read more