4

I have created a form in my web application which has only a single text field and that field is posted to a PHP page using GET, but I am observing strange behavior. i.e. when I test it on my local server, the text is received as it was written in the text field, but when I upload it to my online server, the received string is escaped automatically means, all single quotes and double quotes are escaped. e.g. If I write It's not true... then on php side I will get

$comment = $_REQUEST["comm"];
print $comment;
//will print It\'s not true... on my online server
//will print It's not true... on my local server

I am yet unable to under stand why is it so? Is there any PHP setting for escaping Query Strings variables automatically?

Muhammad Ummar
  • 3,541
  • 6
  • 40
  • 71

3 Answers3

9

You have "magic quotes" enabled. They're a terrible misfeature which are luckily being removed in the next version of PHP. The PHP manual has a guide to disabling them.

In short, you need to set the following configuration items to Off in your php.ini file:

  • magic_quotes_gpc
  • magic_quotes_runtime
  • magic_quotes_sybase

Specifically, your problem appears to be with magic_quotes_gpc - the "gpc" portion being short for "GET, POST, and COOKIE" - but it's good practice to keep all of them disabled.

AgentConundrum
  • 20,288
  • 6
  • 64
  • 99
2

Code will tell you every thing what you need..

function mysql_prep($value) {
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysql_real_escape_string"); // i.e. PHP >= v4.3.0
if ($new_enough_php) { // PHP v4.3.0 or higher
    // undo any magic quote effects so mysql_real_escape_string can do the work
    if ($magic_quotes_active) {
        $value = stripslashes($value);
    }
    $value = mysql_real_escape_string($value);
} else { // before PHP v4.3.0
    // if magic quotes aren't already on then add slashes manually
    if (!$magic_quotes_active) {
        $value = addslashes($value);
    }
    // if magic quotes are active, then the slashes already exist
}
return $value;
}

create above function and pass-on values to this function

and then call the values like

$yourVar = mysql_prep($_POST['yourControlName']);

I hope you may get every thing explained via comments...

BenMorel
  • 34,448
  • 50
  • 182
  • 322
Shabir Gilkar
  • 323
  • 2
  • 7
  • 19
0

I think its a setting within the php.ini file. You can call a PHP function to disable it, but by then it's too late.

Craig White
  • 13,492
  • 4
  • 23
  • 36
  • Actually, you can only disable `magic_quotes_runtime` and `magic_quotes_sybase` from `ini_set()`, which I assume is the function you're referring to. `magic_quotes_gpc` has a mode of `PHP_INI_PERDIR` which means it can only be modified from an `.htaccess` or "higher". This is most likely because once the function is called, the gpc superglobals are already set and the damage is done. – AgentConundrum Apr 07 '11 at 05:36
  • I don't need to use `ini_set()` I have access to `php.ini` – Muhammad Ummar Apr 07 '11 at 06:18
  • @Ummar I know you don't need to use `ini_set()`. I was just explaining to Craig that you can't always call a PHP function to disable it like he said, that's all. Just adding a bit of clarity. – AgentConundrum Apr 07 '11 at 07:21