0

On the client side, I'm working with array of JavaScript objects. On submit I need to send it to PHP with form and manipulate the data further on the server-side.

So when building or changing an array of objects on the JavaScript side, I'm saving it to hidden input. It is passes with the form as expected, but the problem is that json_decode returns NULL if I don't stripslashes before decoding it.

Magic Quotes are off as I use PHP > 5.5, and get_magic_quotes_gpc() always returns FALSE.

Why do I need stripslashes in this case, and will this be the case on any production server with magic quotes off?

P.S.: Currently I'm still working on a development environment on Windows and an EasyPHP local server.

Posted data on server side looks like (var_dump):

I'm using WordPress as a container of my application.

string(5045) "[{\"address_components\":[{\"long_name\":\"Flughafenstrasse\",\"short_name\":\"Flughafenstrasse\"...
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Arman P.
  • 4,314
  • 2
  • 29
  • 47
  • How exactly are you creating the JSON string? – haim770 Feb 18 '14 at 09:36
  • @haim770 The object is basically google maps placeResult object with some modification (a pair of fields is added to object) and then I use `JSON.stringify` before saving the value to hidden input. – Arman P. Feb 18 '14 at 09:41
  • If you `console.log(json)` before appending to hidden input, are there any slashes? – haim770 Feb 18 '14 at 09:42
  • @haim770 No, there are no slashes. When I read back from input and use `JSON.parse` the string is converted to the object (or array of objects) as it should be. So slashes are added when posting data to server via form. – Arman P. Feb 18 '14 at 09:45
  • And what about `console.log(hiddenInput.value)`, after you append to the hidden input? – haim770 Feb 18 '14 at 09:46
  • @haim770 I checked that also, it's still normal. I've updated the question with example data as it looks on server side (after submitting). So the slashes are for sure added when posting. – Arman P. Feb 18 '14 at 09:51
  • 2
    Does this answer your question? *[With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?](https://stackoverflow.com/questions/8949768/with-magic-quotes-disabled-why-does-php-wordpress-continue-to-auto-escape-my)* – Peter Mortensen Dec 01 '19 at 14:33

1 Answers1

2

The application that I was working on was as a WordPress plugin, as it was integrated in WordPress. And it turns out that WordPress (as of current version: 3.8.1) adds slashes (quotes) to GET and POST data on load. And even with PHP > 5.4 and get_magic_quotes_gpc returning 0 data is still escaped.

The solution is simply to stripslashes if you use WordPress, but who knows when WordPress will disable such behaviour and your application will have issues again :)

Some links for the issue:

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Arman P.
  • 4,314
  • 2
  • 29
  • 47