I am using PDO prepared statements so it's adding slashes when it's needed before inserting into the database.
I was wondering the proper way to get the results and display it on the website without showing the slashes.
Is it as easy as just using echo stripslashes($result->message);
?
Here is what my queries look like:
$database->query('INSERT INTO table_name (field1, field2, field3) VALUES (?, ?, ?)', array($value1, $value2, $value3));
Here is my query
method:
public function query($query, $bind=null)
{
global $pdo;
# Prepare Statment
$this->statement = $this->pdo->prepare($query);
# Execute Query
$this->statement->execute($bind);
}
EDIT: get_magic_quotes_gpc
was indeed turned on even though WHM (cPanel) said it was off
Prepared statements do not add slashes to your query data. They inject the parameters into the query in the form of placeholder, in such a way that the placeholder is not considered as part of the query, but as part of the data only.
Therefore, no slashed are added, and no need for
stripslashes()
.If slashes are added for you, make sure you disable prepared statements emulation for your PDO instance:
get_magic_quotes_gpc
was indeed turned on even though WHM (cPanel) said it was off