1

So, when I save the data into database, PHP will add a \ on single or double quotes. That is good.

However, when data is passed back to the client using json_encode(); TEXT like McDonald's is STORED as McDonald's in the DB but once passed back from PHP to js, it will be encoded as McDonald\'s

Since I'm using jQuery, is there any plugin to easily do that? or any function I should use to strip the slashes correctly? obviously, if there is case like \\\\s, the function should return \s. :)

Sorry guys. I think I made my question too complicated. How about I make it simpler..

If I have a javascript variable:

var abc = "McDonald\'s";
var bcd = "I need a slash \\ ";
var cde = "save the double quote \"";

how can I strip the \' ? what the regex I should use?

caitriona
  • 8,569
  • 4
  • 32
  • 36
murvinlai
  • 48,919
  • 52
  • 129
  • 177
  • 1
    I'm a little worried about a lot of the answers here. My PHP security knowledge is somewhat dated, so I'm not really qualified to give a good answer here, but it is vitally important that if you do turn off magic quotes, you replace it with a **better** escaping system. Your goals should be to prevent both SQL injection and cross-site scripting attacks. I normally would use `mysql_real_escape_string($user_input)` going into the DB and `htmlentities($db_output)` going out to the client -- but this may not be considered 100% safe any more. Hopefully someone can give better advice. – Andrew Oct 25 '10 at 02:09
  • 1
    What are you using in your JS to parse the JSON? Whatever you use whould de-escape everything, if it's generated properly (which `json_encode` will do). – staticsan Oct 25 '10 at 02:41
  • @Andrew That advice is still sound, though generally you want to encode to a view with `htmlspecialchars()`. It is sufficient. – alex Oct 25 '10 at 08:46
  • Hi @alex. This is a can of worms I'm not qualified to open, but my preference in the past was to go with `htmlentities()` because it is significantly more destructive to user input, without having any visible impact on the rendered page (as long as you match the page encoding). When I did some studying of hacking methods three years ago, I was appalled at the variety of unicode characters available to a determined hacker -- and I still don't understand how many of these techniques worked. And I'm still not 100% sure `htmlentities()` is safe, but I know it's safer than `htmlspecialchars()`. – Andrew Oct 25 '10 at 13:55
  • @Andrew Well `htmlspecialchars()` targets just the characters generally used for XSS. I think using `htmlentities()` will do the same, but just bloat the page using `x;` style encoding for exotic characters, and most encoded stuff can be achieved by using UTF-8 as the character set. – alex Oct 25 '10 at 14:01

5 Answers5

8

It's actually highly discouraged to use this "magic quotes" feature that inserts slashes. In general, you never want to store data in the database in an escaped format; you want to do the escaping and encoding in the output.

Domenic
  • 110,262
  • 41
  • 219
  • 271
  • Actually, I just check the DB, the magic quote is off. It will store McDonald's in DB. HOWEVER, the data generated from json_encode will attach the \'. That has to like that when getting back to JSON. BUT how can I remove the strip in JS? – murvinlai Oct 25 '10 at 01:35
  • 2
    That's not *quite* correct; you want to escape data where it leaves the application in a way appropriate to where it's going. That is, you escape it for SQL generation in a way that doesn't store it escaped. – staticsan Oct 25 '10 at 02:40
  • @seatoskyhk, as @alex explains in his answer, use a JSON parser in JavaScript. – Domenic Oct 25 '10 at 05:49
4

I would take care of the main problem - magic_quotes is enabled.

I would disable it and use proper escaping methods with your database.

Then you don't have to worry about PHP magically adding slashes.

If you are talking about slashes when using json_encode(), it does that for a reason.

Use a JSON parser in JavaScript and you won't see them (unless something else is improperly encoding them).

alex
  • 479,566
  • 201
  • 878
  • 984
  • For the JSON part, that exactly I need to figure out.. I don't want to have \' when I extract the data. – murvinlai Oct 25 '10 at 07:54
1

Try this too 

function stripslashes (str) {

  return (str + '').replace(/\\(.?)/g, function (s, n1) {
    switch (n1) {
    case '\\':
      return '\\';
    case '0':
      return '\u0000';
    case '':
      return '';
    default:
      return n1;
    }
  });
}
Jayanath
  • 220
  • 1
  • 2
  • 8
1

Yes. http://phpjs.org/functions/stripslashes:537

Jason
  • 3,357
  • 1
  • 22
  • 29
0

Use: http://au.php.net/manual/en/function.mysql-real-escape-string.php before storing into database.

Use a custom function like this before writing onto any user interface:

function unescape($string)
{

$search = array("\\x00", "\\n", "\\r", "\\\x1a");

$replace = array("\x00","\n", "\r", "\x1a");

$retString = str_replace($search, $replace, $string);

$search = array("\'", '\\'.'"');

$replace = array(  "'", '"',);

$retString = str_replace($search, $replace, $retString);

$search = array("\\\\");

$replace = array( "\\");

$retString = str_replace($search, $replace, $retString);

return $retString

}
alex
  • 479,566
  • 201
  • 878
  • 984
zerodin
  • 857
  • 5
  • 9