Alright, so my code to update my database tables is varying flavours of the following:
$query = "
insert into Comment
(Comment, CommentDate, Rating, UserRid)
values
(:comment, now(), 0, :userrid )" ;
try {
$db_conn = new PDO('mysql:host='.$db_server.';dbname='.$db_name, $db_username, $db_password );
$db_conn->beginTransaction();
$prep = $db_conn->prepare($query);
$prep->bindParam(':comment', $comment, PDO::PARAM_STR, 500);
$prep->bindParam(':userrid', $userrid, PDO::PARAM_INT, 20);
$prep->execute();
$db_conn->commit();
} catch (PDOException $e) {
$db_conn.rollBack();
echo "Error!: " . $e->getMessage() . "<br/>";
die();
}
In the above, comment comes in via Post from another page. Userrid is being set properly via a function call. Everything works properly, except the slashes get added to the table.
Everything I’ve read says that in order to get around having slashes whenever someone types in an apostrophe that I should be using parameterized queries. If I’m not mistaken, I’m pretty sure that’s what I’m doing. Am I missing something? Can anybody let me know what I’m not doing right?
Thanks in advance,
Michael
Probably ou’ve
magic_quotes_gpc()turned on, you need to do something like this:If you’re using PHP 5.3+ you can get rid of all magic quoted variables by placing the following lines of code on the top of your file:
If you’re running a lower version of PHP you should take a look at this page.