PHP - HTML input string is stored as escape-sequence string in MySQL

Question

I have basic Website using HTML, PHP, MySQL.

HTML input:

C# - Developer's Guide "LIMITED EDITION"

becomes

In PHP :

C# - Developer\'s Guide \"LIMITED EDITION\"

In MySQL:

C# - Developer\'s Guide \"LIMITED EDITION\"

In PHP I use:

if(empty($_POST['book_title'])) {
    $errors['book_title'] = TRUE;
} else {
    $book_title = mysqli_real_escape_string($link, trim($_POST['book_title']));
}

$query1 = "INSERT INTO book(title) VALUES(?)";
if(!$errors && mysqli_stmt_prepare($stmt,$query1))
{
  mysqli_stmt_bind_param($stmt, "s", $book_title) or die("Bind param failed");
  if(!mysqli_stmt_execute($stmt)) {
    $errors['table_book'] = TRUE;
  }
} else {
  $errors['table_book'] = TRUE;
}

EDIT: magic_quotes are turned off. And I'm using PHP 7.0.3.

How to get my HTML input, as it is, in PHP and MySQL too?

What is magic_quotes(I heard somewhere on blogs) if it can help me?

Ask me If you need any other info. Help me.

@user5173426 [ declared as $errors = array(); ]So I'm setting errors list for AJAX response. And that's not my actual issue. Storing string(via HTML input) with Single and Double quotes troubles me. Hope you might help me. — Naveen Kumar V, Jul 27 '16 at 13:17
First I would suggest using PDO prepared statements (http://stackoverflow.com/documentation/php/275/using-a-database) - it handles escaping values for you. Second, can we see your HTML input fields - the actual form you're using to submit this data? If it's just a standard input and you get the value in PHP it should just be a string (with quotes not escaped), so it's not clear how/where it's getting escaped. — WOUNDEDStevenJones, Jul 27 '16 at 14:25
ah, I'm assuming you're on an older version of PHP if it's using magic quotes. It looks like you can disable that in `php.ini`(http://php.net/manual/en/security.magicquotes.disabling.php) by setting `magic_quotes_gpc = Off`, `magic_quotes_runtime = Off`, and `magic_quotes_sybase = Off` — WOUNDEDStevenJones, Jul 27 '16 at 14:30
Don't use `mysqli_real_escape_string` **and** a prepared statement. Remove the former as it adds the escape characters which are then literally stored via the prepared statement — Phil, Jul 29 '16 at 04:01
@Phil That worked. :) Post it as answer with some explanation. So that I can mark as Accepted Answer. :) — Naveen Kumar V, Jul 29 '16 at 04:02

score 0 · Answer 1 · answered Jul 29 '16 at 05:05

0

As suggested by 'Phil' in above comments and other SO queries (when searched with 'should i use mysqli_real_escape_string with prepared statement'),

Use only Prepared Statement rather than mysqli_real_escape_string() or combination of both.

answered Jul 29 '16 at 05:05

Naveen Kumar V

2,559
2
29
43

PHP - HTML input string is stored as escape-sequence string in MySQL

1 Answers1