Reputation:
How to prevent escape characters in MySQL varchar inserted by PHP PDO via jQuery AJAX
I think it's strange that I can't find anything on this, but that's the case.
On my site, I allow users to enter text to be stored in my database. I use PDO to keep it safe, but then all of the dangerous characters have "\"s in front of them.
Is there an easy way to get rid of all that? Should I be using a different datatype in MySQL?
Thanks in advance!
No double escaping. Laziness prevented it
I read that just doing straight PDO made it so you didn't have to worry about escaping, sanitizing, bleaching, scrubbing, etc...
I do the standard PDO INSERT like so How do I insert into PDO (sqllite3)?
The data is transmitted by jQuery ajax. Is that the source of the problem? If so, how do I reverse it?
Thanks for your help!
Specifics on problem
I have "\"s in front of quotes and double quotes only. Thanks!
Versions
PHP 5.3 for Zend Guard compatibility. MySQL 5.5. Apache 2.2.2. jQuery 1.8.3
+1 for reversal
I'll give as many +1s as answers on how to reverse these /'s. Thanks!
Magic Quotes
was the answer. Anyone want to lengthen their answer for check?
Still looking for a SQL statement to reverse previous escaping. Thanks!
Upvotes: 1
Views: 1030
Answers (2)
Reputation: 6782
This can be caused by having magic quotes enabled on the server. In particular, it's probably the magic_quotes_gpc directive, which can be set in php.ini, .htaccess, etc, but not at runtime with ini_set.
First, double-check the output of phpinfo() to be sure this is the problem. If you find that magic quotes is enabled, you'll need somebody with access to the server to disable it in your php.ini or .htaccess file. The php manual explains the process here: http://www.php.net/manual/en/security.magicquotes.disabling.php
Do be careful with this, though: If there is code running on the server that relies on magic quotes, disabling it could leave those sites vulnerable to attacks like sql injection.
Upvotes: 4
Reputation: 211610
You've obviously got some other escaping going on in your application before it hits the PDO layer. Look for addslashes or escape_string type method calls to see if you've got that going on.
What you're seeing is a sign of double escaping.
Upvotes: 0
Related Questions
- PHP escape in javascript
- Insert Values with special Characters using PDO
- How to safely insert data to mysql using php pdo
- simple quote escape issue with pdo-php-javascript (ajax)
- PHP AJAX call to MySQL database. How to properly escape HTML data returned (json_encode) to page?
- jQuery ajax special characters problem
- mysql_real_escape_string with PDO PHP
- Correct way to escape a string in PHP when there are row['value'] in the string?
- encodeURIComponent and mysql_real_escape_string
- PHP escaping encoded quotes