Textarea content messed up after retreving from database

Question

So here is my problem:

I have coded an administration area for my website, and it has a textarea which should CREATE news for the website. Everything works fine when using , etc. But when it comes to quotes (" ") everything gets messed up. The quotes get ESCAPED with a \ (slash).

The submitted news will be seen in the index page of the site, so that's where I know if the written HTML in the administration was OK or not. This is how the code should be:

<a href="http://www.youtube-nocookie.com/v/q9FY9O8os4M&hl=it_IT&fs=1?rel=0" rel="iframe-640-505" class="pirobox_gall1" title="MC Qoppa - Dashnise "><img src="../styles/thumbs/qopa2.jpg" width="250" height="140" class="thumb"></a>

This is how it looks like after submitting:

<a href=\"http://www.youtube-nocookie.com/v/q9FY9O8os4M&hl=it_IT&fs=1?rel=0\" rel=\"iframe-640-505\" class=\"pirobox_gall1\" title=\"MC Qoppa - Dashnise \"><img src=\"../styles/thumbs/qopa2.jpg\" width=\"250\" height=\"140\" class=\"thumb\"></a>

I was using TinyMCE (a WYSIWYG editor) when I noticed the problem, thought it was causing the issue, but it's not, because I've removed it and I still keep getting these HTML messes.

Answer 1

Magic quotes are a deprecated PHP feature originally intended to prevent SQL injection attacks against a web application's security. It is possible that your web host has magic quotes turned on.

For security, developers should use the "prepared statement" functions of the mysqli and PDO extensions when including user input in a SQL statement. If that is not possible for some reason (e.g. these newer extensions are unavailable on a specific web host), developers should use an appropriate MySQL escaping function (e.g. mysql_real_escape_string()) properly.

You can try turning magic quotes off in php.ini or .htaccess and see if the slashes disappear; however, please ensure your application is secure against SQL injection attacks first.