So in order to avoid SQL injections, I decided to start using the PHP PDO functions to connect to my MySQL database. However, is it possible to avoid having the \ put on the table when a user puts a quote in?
Here's my code:
$insert = $conn->prepare("INSERT INTO tests
(name, author, category, description, num_attempts, audience, date_uploaded, source, public) VALUES
(:testName, '$userId', '$category', :desc, '0', '$audience', '$date', 'Web', '0')");
$insert->bindParam(':testName', $testName, PDO::PARAM_STR);
$insert->bindParam(':desc', $desc, PDO::PARAM_STR);
$insert->execute();
Note the testName, that's a user input. I don't want a \ being placed on the database whenever someone puts a quotation mark. Please help.
It looks like you have magic quotes turned on, that causes the slashes to be added. Magic quotes is a broken security concept and has been deprecated as of PHP 5.3, so for future-proof code set magic quotes to off.