I am putting a serialized data to database. Data comes from input field and it can be anything (string), also with quotes signs. Serialized data I encode with base64 to preserve serialize to result error. But quotes marks became \'. I am aware that it is mysql injection remedy, and encoded data has crypted \' signs. Magic_quotes are on. Here's the code:
$_POST['post']:
[0] => this is \"test\"
[1] => test2
[2] => quotes \"\"
php:
$db = base64_encode(serialize($_POST['post']));
Now i get serialized and encoded data. When I try to retrieve it:
[mysql functions to retrieve row]
$arr = unserialize(base64_decode($arr));
foreach ( $arr as $arr1 ) {
$arr2[] = stripslashes($arr1);
}
print_r($arr2);
After data retrieval I get as intended:
$arr2:
[0] => this is "test"
[1] => test2
[2] => quotes ""
Question is: is it mysql injection safe? Is it safe at all to put data from arr2 into html page into input fields and body of page? If not what would be a good method to do it? Should I use html_escape and mysql_special like functions ?
Thanks in advance :)
EDIT: string data from database will be used only as a value of input and textarea html tags.