PHP 7.2: HTTP Form Post, something is escaping single quotes with backslashes. Magic Quotes was dropped in 5.x

Question

Anybody have any idea where I can look to change the behavior?

As expected, the "magic quotes" settings don't do anything, since the feature is gone now. However something is trying to be helpful and I'm not sure what.

Steps to reproduce:

Have a field on a form
Enter something with a single quote like "Terry's String"
Post the form
$_POST['fieldname']) now contains the entered string with single quotes prefaced with a \ like: Terry\'s String

Turning off magic quotes in the php config file has no effect.

Anybody have any idea where else to look or how to troubleshoot this?

Edit `var_dump($_POST['FirstName']);

returns: string(15) "Terry's String"`

var_dump($_GET['FirstName']); returns

array(1) { ["FirstName"]=> string(8) "Terry\'s" } when I pass the param in a GET.

Form post from the browser shows: FirstName=Terry%27s+String

`var_dump($_POST['fieldname']);` returns what? are you using a framework? any security software running? — , Oct 31 '18 at 20:22
Use stripslashes as documented here: http://php.net/manual/de/function.stripslashes.php — Markus Zeller, Oct 31 '18 at 20:59
Are you sure it's not something on the client? Use Developer Tools to see the parameters that are being sent. — Barmar, Oct 31 '18 at 20:59
@MarkusZeller That's bad advice, he should fix whatever is adding the slashes in the first place. — Barmar, Oct 31 '18 at 20:59
@Cemal I just posted the module list above. No mod_security. — Terry Carmen, Oct 31 '18 at 21:45
@Barmar I just posted the actual browser post data. No backslash. — Terry Carmen, Oct 31 '18 at 21:45
sorry bout that, must have asked the question, while you were updating it. — Cemal, Oct 31 '18 at 21:47
does the same thing happen when you have $_GET variables? (might be easier to eradicate client side behaviour as you could simply fire up a curl call or append the parameter to the browser url) — Matthias, Oct 31 '18 at 22:15
You could also try `var_dump(file_get_contents('php://input'));` to see the un-parsed request body. This should tell you if the problem exists before or after PHP handles the request — Phil, Oct 31 '18 at 22:48
@Phil you're on to something! I'm not sure what it means, but file_get_contents doesn't have the backslash. — Terry Carmen, Nov 01 '18 at 01:07
@TerryCarmen ok, that's a start. Now, are you absolutely sure of the PHP version in use with your web server? You can try `echo PHP_VERSION;` or try the good old `phpinfo()` (in the browser). Some systems can have multiple versions installed. `phpinfo()` will also show you which configuration files are in use — Phil, Nov 01 '18 at 03:04
@Phil, if you want to post the answer, I'll be happy to mark it as "accepted" — Terry Carmen, Nov 01 '18 at 13:43
Does this answer your question? *[With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?](https://stackoverflow.com/questions/8949768/with-magic-quotes-disabled-why-does-php-wordpress-continue-to-auto-escape-my)* — Peter Mortensen, Dec 01 '19 at 02:24

score 5 · Accepted Answer · edited Dec 01 '19 at 02:29

Thanks to everybody and especially @Phil, who pointed me to var_dump(file_get_contents('php://input'));

Even though PHP 7.2 doesn't have Magic Quotes, WordPress has their own magic_quotes implementation and is modifying the PHP _POST data in order to "help".

Even though I was writing plain PHP code using what I thought was the PHP form post data, I was actually being given a sanitized copy.

It turns out that WordPress is having sanity issues and can't decide if they want Magic Quotes on or off even though PHP removed the functionality from the language.

#18322. The Road to Magic Quotes Sanity

WordPress and magic quotes

PHP 7.2: HTTP Form Post, something is escaping single quotes with backslashes. Magic Quotes was dropped in 5.x

1 Answers1