Search code examples
phpmysqlechobackslashmysql-real-escape-string

Inserting double quotes into mysql and printing them out without backslashes

I have a form where the following type of code must be inserted:

<iframe src="https://www.google.com/maps/embed?pb=!1m14!1m8!1m3!1d3035.058400512634!2d-3.6438669999999997!3d40.473973!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0xd422eea55d33c51%3A0x3294408e8e67eff4!2sClinica+Dental+Artidental!5e0!3m2!1ses!2ses!4v1419779677798" width="600" height="450" frameborder="0" style="border:0"></iframe>

I am catching the posted value as follows:

$mapLink = htmlspecialchars($_POST['mapLink'], ENT_QUOTES);

And the iframe is inserted as follows:

&lt;iframe src=\&quot;https://www.google.com/maps/embed?pb=!1m14!1m8!1m3!1d3035.058400512634!2d-3.6438669999999997!3d40.473973!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0xd422eea55d33c51%3A0x3294408e8e67eff4!2sClinica+Dental+Artidental!5e0!3m2!1ses!2ses!4v1419779677798\&quot; width=\&quot;600\&quot; height=\&quot;450\&quot; frameborder=\&quot;0\&quot; style=\&quot;border:0\&quot;&gt;&lt;/iframe&gt;

How can I do in order to fetch back my initial link "<iframe src..." with php and print it out as it was written initially? Without the backslashes, &quot, etc

UPDATE 1

Here is how I insert/update in MYSQL:

            $editCentro = $con->prepare("UPDATE centros SET  active = :active, nombre = :nombre, zona = :zona, address = :address,
        metro = :metro, zip = :zip, phone = :phone, fax = :fax, email = :email, mapLink = :mapLink, descripcion = :descripcion, horarios = :horarios
        WHERE id = ".$centroId);
        $editCentro->execute(array(':active'=>$active, ':nombre'=> $nombre, ':zona'=>$zona, ':address'=>$address, ':metro'=>$metro, 
        ':zip'=>$zip, ':phone'=>$telefono, ':fax'=>$fax, ':email'=>$email, ':mapLink'=>$mapLink, ':descripcion'=>$descripcion, ':horarios'=>$horarios));

And even when not escaping the value, it gets inserted with a backslash before the double quotes...

Solution

  • You escape the string when assigning it to $mapLink:

    $mapLink = htmlspecialchars($_POST['mapLink'], ENT_QUOTES);

    If you want to insert it to the database as-is, simply take the value from post, and don't escape it. (Also, that's not the escaping you would use to prevent SQLi)

    To prevent SQL injection, use mysql binding like so:

    $stmt = $mysqli->prepare("INSERT INTO sometable (fieldA, mapField, fieldC) VALUES (?, ?, ?)");
$stmt->bind_param('sss', $someVar, $mapLink, $otherVar);

    See more info on parameter binding in the PHP docs here.

    If you have problems with magic quotes, you can strip them like so:

    $mapLink = stripslashes($_POST['mapLink']);