Search code examples
phppdoescapingapostrophe

PHP PDO Apostrophe and Quotation Marks Escaping

i have a form that users post about themselves exc. I've read that with PDO you don't get any issues with apostrophes or quatation marks, however i'm getting " as \" exc. as you can guess.

Also tried to read about http://www.php.net/manual/en/pdo.prepared-statements.php but this part of website is not working as i see that's why i ask here first.

I get user input like this :

if(isset($_POST["doit"])) {
    $about = cleanInput($_POST["about"]);
    $name = cleanInput($_POST["name"]);

    if(!empty($about) && !empty($name)){
     try{
     $cu_query = "INSERT INTO `members` (`about`, `name`) VALUES (:about, :name)";
     $cu_query_do = $db->prepare($cu_query);
     $cu_query_do -> bindParam(':about', $about, PDO::PARAM_STR);
     $cu_query_do -> bindParam(':name', $name, PDO::PARAM_STR);
     $cu_query_do->execute() or die(print_r($cu_query_do->errorInfo(), true));
   }

     catch(PDOException $e) {
     $log->logError($e." - ".basename(__FILE__));
   }

   }
}

I print out user input like this and fetch the user inputs from db like this :

    //if isset get exc..

    try {
 $mq = "SELECT * FROM `members` WHERE `m_id` = :m_id";
 $mq_check = $db->prepare($mq);
 $mq_check->bindParam(':m_id', $m_id, PDO::PARAM_INT);
 $mq_check->execute();
 $ac = $db->query("SELECT FOUND_ROWS()")->fetchColumn();
 }
     catch(PDOException $e) {
 $log->logError($e." - ".basename(__FILE__));
                }


     if(!empty($ac)) {
     $_loader = true;
     $fetch = $mq_check->fetch (PDO::FETCH_ASSOC);
     $name = cleanInput($fetch['name']);
     $about = cleanInput($fetch['about']);


     }

     echo $name;

Thank You

Answer : If you've disabled the it from the WHM or from php.ini exc but if the problem still continues check with the code @Wayne Whitty mentioned below If it is still seems like active ,

Than include this code in your header file :

if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
    foreach ($val as $k => $v) {
        unset($process[$key][$k]);
        if (is_array($v)) {
            $process[$key][stripslashes($k)] = $v;
            $process[] = &$process[$key][stripslashes($k)];
        } else {
            $process[$key][stripslashes($k)] = stripslashes($v);
        }
    }
}
unset($process);
}

That fixed my problem but if problem still continues, than you have to check your input sanitizations exc.

Solution

  • Either magic quotes are enabled on your server or your function cleanInput() is calling the function addslashes().

    Check to see if magic quotes are enabled by running this:

    if(get_magic_quotes_gpc()){
    echo 'Magic Quotes enabled... sigh!';
}

    The PHP manual shows you how to deal with magic quotes: