Andy Lobel
Reputation: 3416
Why does mysqli still escape quotes?
I'm using prepare statements in mysqli and if I put a " into one of my params values then it escapes it and adds a backslash before it. I though mysqli didn't have to do this?? Thanks. Example:
$comment = $members->prepare("insert into comments(comment) values(?)");
$comment->bind_param('s', $_POST['comment']);
$comment->execute();
puts \"\" into the database assuming that the comment field is equal to ""
Upvotes: 1
Views: 1091
Answers (1)
user1289347
Reputation: 2407
Your server may have magic quotes on. Check it out here http://php.net/manual/en/security.magicquotes.php It's happened to me before, very annoying.
quick check to see
if(get_magic_quotes_gpc())
echo "Magic quotes are enabled";
else
echo "Magic quotes are disabled";
Upvotes: 2
Related Questions
- PHP MySQLi escape quotes
- Problem with mysqli_real_escape_string (and magic quotes is off)
- Double quotes in PHP
- mysqli_real_escape_string and double quotes issue
- PHP mysqli_real_escape_string argument
- MySQLi queries with php - query strings contain single quotes and curly braces
- Converting to MYSQLI from MYSQL... Broken escape function
- mysqli real escape string issues
- PHP MySQLi possible issue with escaped parameter in escaped statement?
- PHP mysqli: escape strings saving strange