On the server I'm using (running php_fastcgi5), there is an .htaccess file in the root directory containing this directive, to turn off magic_quotes_gpc:
php_flag magic_quotes_gpc off
A phpinfo() output reports that the local value for magic_quotes_gpc is indeed off. (The master value is however "on".)
I am not sure if this is reporting accurately, firstly because I read this posting, and secondly because the following code using PDO prepared statements still ends up with backslashes inserted into the database record:
<?php
$db = new PDO('mysql:host=example.com;dbname=my_database_name;charset=utf8', 'database_user', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$output = '<p>Post some text which includes some apostrophes:</p><form name="form" action="test.php" method="post"><input type="text" size="60" name="string" value="The server\'s not behaving as it\'s supposed to." /><br /><br /><input type="submit" value="Post" /></form><br />----------<br />';
if (isset($_POST['string'])) {
$PostedString = $_POST['string'];
$InsertQuery = $db->prepare("INSERT INTO `test` (string) VALUES (?)");
$SuccessfulInsertion = $InsertQuery->execute(array($PostedString));
if ($SuccessfulInsertion) {
$ReadStatement = $db->prepare('SELECT * FROM `test` ORDER BY `id`');
$ReadStatement->execute();
$ReadStatement->setFetchMode(PDO::FETCH_ASSOC);
while($row = $ReadStatement->fetch()) {
$ThisString = $row['string'];
$output .= '<p>'.$ThisString.'</p>'.$CR;
}
}
}
echo $output;
?>
Does anyone know why text inserted into the database using this code still results in db records with slashes added before apostrophes?
Is it because PHP is running as php_fastcgi5 (i.e., is the .htaccess directive to switch off magic_quotes_gpc not working because of this)? If so, is there a workaround? (I have no access to the php.ini file.)