I’m trying to make a simple web interface for my database, and I’m using prepared statements because they are supposed to prevent SQL injection attacks. Anyway, my problem is that if I enter single or double quotes in the form and submit it, then they are entered into the database preceded by a backslash, which is also printed out with them when the items are selected from the database.

So, how do I enter a literal quote into the database without it aquiring a preceding backslash due to the prepare statement? Cheers.

<?php

$heading = $_POST['heading'];
$story = $_POST['story'];

$mysqli = new mysqli('localhost',$username,$password,'mydb');
if ($mysqli->connect_errno)
  echo "Failed to connect: Error (".$mysqli->connect_errno.") ".$mysqli->connect_error;

if (  !$stmt = $mysqli->prepare('INSERT INTO news (heading,story) VALUES (?,?)')  )
  echo "Prepare failed: Error (".$mysqli->errno.") ".$mysqli->error;

if (  !$stmt->bind_param('ss',$heading,$story)  )
  echo "Binding paramaters failed: (".$stmt->errno.") ".$stmt->error;

if (!$stmt->execute())
  echo "Execute failed: (".$stmt->errno.") ".$stmt->error;

$stmt->close();

?>