Insert HTML code into MySQL database using PHP-PDO->Prepare Statement

Question

i have a problem, i'm trying to insert html data into my database, but when i insert it, that returns me the quotes with backslash. (i think that is a pdo security function... but how i can to disable it?).

The PHP+PDO code is...

if(!empty($_POST['site_ads_right'])) {
  $update1 = $db->prepare("UPDATE ads SET custom_html = :html WHERE position = :pos");
  $update1->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
  $update1->bindValue(':html', $_POST['site_ads_right'], PDO::PARAM_STR);
  $update1->bindValue(':pos', 4, PDO::PARAM_INT);
  $update1->execute();
}

And i'm trying to insert this code using a html textarea called site_ads_right for ($_POST)

<a href='http://www.example.com/index.php' target='_BLANK'><img src='img/content/a46adedac744f8f98b385ed392f92b3d_lll.jpg'></a>

But when i insert that, the return from database is...

<a href=\'http://www.example.com/index.php\' target=\'_BLANK\'><img src=\'img/content/a46adedac744f8f98b385ed392f92b3d_lll.jpg\'></a>

And i need insert it without the filter what puts the backslashes...

Thanks.

Okay, with...

$update1 = $db->query("UPDATE ads SET custom_html = '".$_POST['site_ads_right']."' WHERE position = 4");

Inserts the code without the backslashes.

Answer 1

PDO is irrelevant here. It's security function doing its job flawless.

It's either magic quotes of your own general purpose sanitizing function .
Just get rid of them both.