-1

If I enter the URL http://localhost/script.php?a=" into the URL bar of Chrome, where script.php is the following test code:

var_dump( $_GET );
print '<br>';
var_dump( urldecode($_GET['a']) );
die();

The result looks like

array(1) { ["a"]=> string(2) "\"" } 
string(2) "\""

It seems that Chrome (or Apache/PHP?) is adding a backslash before the quote. The same thing happens if I use %22 instead of the quote character in the URL. It shouldn't be this way, should it?

I can't recall ever having this issue before, but this is a rather "new" (to me) install of PHP and Apache, so could it be some configuration on my installation that's causing this?

Magnus
  • 17,157
  • 19
  • 104
  • 189
  • Sounds like you have [magic quotes](http://php.net/manual/en/security.magicquotes.php) and should upgrade to a new version of PHP. – Quentin Jul 30 '14 at 11:49

1 Answers1

0

Try below - 

var_dump( $_GET );
print '<br>';
var_dump( urldecode(stripslashes($_GET['a'])));
die();

This is because magic_quotes is ON in your php.ini file - You can add below in php.ini , this should work. 

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
Abhijit
  • 112
  • 1
  • 10
  • Well of course stripslashes() will work, but should it really be necessary on a GET-parameter?? I can't recall ever having to do that before? – Magnus Jul 30 '14 at 11:37
  • Doh! That was it, just found it myself too. If you update your original answer I'll accept it... – Magnus Jul 30 '14 at 11:49