3

I am using PDO prepared statements so it's adding slashes when it's needed before inserting into the database.

I was wondering the proper way to get the results and display it on the website without showing the slashes.

Is it as easy as just using echo stripslashes($result->message);?

Here is what my queries look like:

$database->query('INSERT INTO table_name (field1, field2, field3) VALUES (?, ?, ?)', array($value1, $value2, $value3));

Here is my query method:

public function query($query, $bind=null)
{
    global $pdo;

    # Prepare Statment
    $this->statement = $this->pdo->prepare($query);

    # Execute Query
    $this->statement->execute($bind);
}

EDIT: get_magic_quotes_gpc was indeed turned on even though WHM (cPanel) said it was off

Draven
  • 1,467
  • 2
  • 19
  • 47

2 Answers2

4

Prepared statements do not add slashes to your query data. They inject the parameters into the query in the form of placeholder, in such a way that the placeholder is not considered as part of the query, but as part of the data only.

Therefore, no slashed are added, and no need for stripslashes().

If slashes are added for you, make sure you disable prepared statements emulation for your PDO instance:

$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
Madara's Ghost
  • 172,118
  • 50
  • 264
  • 308
  • Isn't one of the advantages of using PDO because it has features like that, that make queries safer? From what I read about PDO is I don't need to sanitize queries. I'll edit my OP with what my queries look like. – Draven Aug 31 '12 at 23:47
  • 1
    @Draven: Exactly, you don't need to sanitize your queries, but not because it sanitizes it for you. Because the query is **prepared**. Take this exammple: `SELECT * FROM table WHERE id=?` The ? is a placeholder, that query is compiled (before actual data is injected into the query), **then** data is injected, because the query was already compiled, it doesn't matter what data goes into the placeholder, it won't affect the query. – Madara's Ghost Sep 01 '12 at 06:39
  • That is what I thought. After running more tests today it seems like it only adds slashes to `$_POST` data. Is that right? I assume my queries will still be safe if I do what you suggest? – Draven Sep 01 '12 at 07:01
  • @Draven: No, something else adds those slashes for you. Because someone adds slashes, and they don't escape anything thanks to the prepared statement, you see those slashes in your data. Find out who adds those slashes, and kill it. Then, you will reach enlightenment, little grasshopper. – Madara's Ghost Sep 01 '12 at 07:03
  • Weird. Never seen this before. I decided to `echo $_POST['input_name']` and it echo'd with the slashes. So my form is adding the slashes? How? – Draven Sep 01 '12 at 07:24
  • @Draven: Run [this](http://php.net/manual/en/function.get-magic-quotes-runtime.php), if it return TRUE, magic quotes are enabled. – Madara's Ghost Sep 01 '12 at 07:26
  • I don't know than. Ask this is a separate question. "Why does PHP adds slashes to $_POST when magic quotes are disabled?" And add all the relevant details. – Madara's Ghost Sep 01 '12 at 07:30
  • I changed `get_magic_quotes_runtime` to `get_magic_quotes_gpc` and that returned true. – Draven Sep 01 '12 at 07:30
  • 1
    Damn, sorry for all this trouble and thank you for helping me. I edit php.ini using WHM (cPanel) and the setting for `get_magic_quotes_gpc` said it was off, but I decided to save it anyway, just in case, and sure enough, it is now off. – Draven Sep 01 '12 at 07:35
1

get_magic_quotes_gpc was indeed turned on even though WHM (cPanel) said it was off

Draven
  • 1,467
  • 2
  • 19
  • 47