4

Ok, so I'm having a problem with a simple textarea. I'm using a kind of hidden page to easily encode some data using JSON. However, all of my text input is automatically being escaped somewhere and I don't know where. All of my $_POST variables are automatically run through the htmlentities() function when the script starts up, as seen below:

$ani->i->post = $this->clean($_POST, true);
function clean($values, $unset = false) {
    if (is_array($values)) {
        foreach ($values as $key => $value) {
            $newkey = strtolower($key);
            $return[$newkey] = $this->clean($value);
            unset($values[$key]);
        }
        return $return;
    }
    return htmlentities($values);
}

I keep getting \' for all of my single quotes when I put the value back into the textarea.

I can't find anywhere where it would be adding slashes and I don't remember it being a feature that they were automatically added when you submit from a textarea, and if that was so, why would they not be returning back to a single quote when put back into the textarea? Do I really need to run variables through stripslashes() to get them back to their original form?

Edit: My 'test.php' file is as follows:

<h1>To Be Encoded:</h1>
<form action="/test" method="post">
<textarea name="encode" rows="20" cols="50"><?= html_entity_decode($ani->i->post['encode']) ?></textarea>
<input type="submit" name="submit" value="Encode It!" />
</form>
<h1>Encoded By JSON:</h1>
<textarea name="encoded" rows="20" cols="50"><?= json_encode(html_entity_decode($ani->i->post['encode'])) ?></textarea>
<?php

die();

?>

P.S. The die() is just there for compatibility with my framework.

animuson
  • 53,861
  • 28
  • 137
  • 147

1 Answers1

10

I suppose Magic Quotes are turned on.
Turn them off ASAP! :)

deceze
  • 510,633
  • 85
  • 743
  • 889
  • I have them off... root@server [/etc]# grep "magic_quotes" php.ini ; - magic_quotes_gpc = Off [Performance] magic_quotes_gpc = Off magic_quotes_runtime = Off magic_quotes_sybase = Off – animuson Apr 14 '10 at 03:56
  • Indeed. Go ahead and ensure `register_globals` is off as well. – webbiedave Apr 14 '10 at 03:57
  • 5
    Sometimes systems will have more than one php.ini (for instance, one for CLI and one for apache). The best way to check if it's set is to create a script that calls `phpinfo();` then search the output in your browser for `magic_quotes_gpc` The outputted info will also show which php.ini is loaded by the web server (something similar to `Configuration File (php.ini) Path` and `Loaded Configuration File` and `Scan this dir for additional .ini files` You can also check via run-time with `get_magic_quotes_gpc()` and `get_magic_quotes_runtime()` – webbiedave Apr 14 '10 at 03:59
  • @webbiedave: Thanks! I found another ini file at `/usr/local/lib/php.ini` which seems to be the one that's actually being loaded and not `/etc/php.ini`, which had 'magic_quotes_gpc = On'. Everything works great now, wish I had known that was on... – animuson Apr 14 '10 at 04:09
  • I set `magic_quotes_gpc = Off` in *php.ini* file, but when I run `phpinfo()` function, it is still `On`. Why? How can I set it `Off` ? – stack Dec 21 '15 at 16:26