I am asking the user to provide a directory where a file can be found, however, when I put the string through sanitization, it adds in additional "\", and displays them as part of the text string.

PHP Code:

strtolower(mysql_real_escape_string($_POST["url"])) 


Input:

Quote:

d:\documents and settings\414004425\desktop\wireless router.pdf

Display:

Quote:

d:\\documents and settings\\414004425\\desktop\\wireless router.pdf

Its escaping the \ by the looks of things.

Maybe just to hack it, Use str_replace and replace any \\ with a \ after your sanitization.

@lynxus is right,
\ must be escaped

Then again, Have you tried inputting the output into mysql?

Its possible that it will enter it correctly as mysql will just ignore the first \ ?

That's because Magic Quotes in php is enabled. What you may do is to turn it off and make a temporary variable (let's say $tmp_str = $str) to hold your string. Make addslahes() to that variable ($tmp_str) and pass it on to your mysql query. If you want to send your string back to the browser, just echo your original variable ($str).