0

I have a form that I use in my CPanel. When I enter data into the form with apostrophes or quotes, such as:

There's an example

It is saved in my database as:

There\'s an example

I don't understand why the quotes are being escaped automatically.

  • I don't have anything set to escape the posted data
  • It is updated using a prepared statement
  • Magic quotes are off (gpc, runtime, and sybase)

Here is my PHP code that updates the database:

<?php

include "{$_SERVER["DOCUMENT_ROOT"]}/global/php/db.mysqli.php";

$title = $_POST["title"];
$subtitle = $_POST["subtitle"];
$dir = $_POST["dir"];
$parts = $_POST["parts"];
$override = $_POST["override"];

if($override == "true" || $override == true)
    $override = 1;
else
    $override = 0;

$stmt = $link->prepare("UPDATE ... SET `title`=?, `subtitle`=?, `dir`=?, `parts`=?, `override`=? WHERE `id`=? LIMIT 1");
$stmt->bind_param("ssssss", $title, $subtitle, $dir, $parts, $override, $id);
$stmt->execute();

?>
Liftoff
  • 24,717
  • 13
  • 66
  • 119
  • @Gumbo sometimes it's good to read the question body – Royal Bg Jun 15 '14 at 18:34
  • I suggest you `var_dump($_POST)` before *and* after you include db.mysqli.php. – Bill Karwin Jun 15 '14 at 18:38
  • Magic quotes are off, you say? Interesting... Hmm... And have you confirmed this by `var_dump`ing the relevant functions to tell you this? Otherwise it might be that PHP is loading a different config file to the one you're expecting. – Niet the Dark Absol Jun 15 '14 at 18:38
  • Sometimes question body shouldn't be trusted. We all know the reasons for the extra slashes. They are scarce and already known. There is *nothing* new. – Your Common Sense Jun 15 '14 at 18:42
  • @OP, you have but a simple choice: either these slashes being added by magic or one of your premises are wrong. Choose one and then investigate it. Community hardly can help you with it. – Your Common Sense Jun 15 '14 at 18:44
  • 1
    My bet - some sort of "sanitize them all" function that is lurking somewhere in the legacy code – Your Common Sense Jun 15 '14 at 18:46
  • @YourCommonSense Not to interrupt your rant, but my suggestion is actually quite a likely thing to bite one's arse ;) – Niet the Dark Absol Jun 15 '14 at 18:48

0 Answers0