0

How can I hand over double quotes with POST? Everytime I try it he gives me \' the first time and \\\'\\\ the second time and so on. I tried it with str_replace but it works only for parts. Is there a way to correct handle this?

Edit:

After disabling magic_quotes_gpc it still doesn't work 100% correctly. My first form has a hidden input field. It has the value

text 'textinquotes'

Per post this value is submitted to another php script. If I output the variable I get

text \'textinquotes\'

If the user forgot to fill out a field, I submit the values to another PHP-script per post. In this php-script I make a get with the parameters to the php script where the user puts in his values. In this case I get

text \\\'textinquotes\\\'

If the user has input everything correct I write an email and stores it in the database. In the email I get

text \'textinquotes\'

and in the database I get

text 'textinquotes'.

What I'm doing still wrong?

For creating the get I have the following code:

$red = $referer."?error=1";
foreach($post as $post_key => $post_value) {
    $red .= "&".$post_key."=".$post_value;
}
testing
  • 19,681
  • 50
  • 236
  • 417

2 Answers2

1

it's either added by PHP out of deprecated magic_quotes_gpc feature,
or by some misplaced general input "sanitizing" function.

in either case you have to find the cause and turn it off forever.

for the magic cuotes you can use phpinfo() to see it's value.

if it's the magic quotes and you have no ability to alter php. settings, you can clean at least superglobal arrays, which ought to be enough. Thare are many codes on this site, this one How to remove magic quotes if php.ini/.htaccess are not editable? for example

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • To turn `magic_quotes_gpc` off do I have to contact my provider or is there another way to do this? – testing Nov 09 '11 at 17:11
  • Should I use the htaccess file like [here](http://support.aiso.net/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=211)? OK, that didn't worked (500 Internal Server error). – testing Nov 09 '11 at 17:20
  • 500 error means you have to peek into server's error log for the certain error message. at first glance this code seems ok. `php_flag magic_quotes_gpc off`. The latter part of the text, with ini_set makes no sense. It will never work. – Your Common Sense Nov 09 '11 at 17:30
  • Sorry, I don't have access to server logs. I think therefore I have to contact my provider. Nevertheless I found in the FAQ of my provider how to provide an own php.ini. I tried it and it worked so far. `phpinfo()` shows me `magic_quotes_gpc` as off. So I tried my first test and I also get `\'` but for my forms only one time. I thought this would be eliminated? – testing Nov 09 '11 at 17:56
  • it is the second case I mentioned, I believe. you are using some function that adds these slashes. – Your Common Sense Nov 09 '11 at 18:07
  • I have to test it more, but the only special I make is the function (for each) I added in my question. – testing Nov 09 '11 at 18:12
  • I think the problematic function comes from TYPO3. The php script is embedded on a page of TYPO3. The parameters are parsed from index.php to the designated page. Now I think I would only make a `str_replace` to clear out the quotes ... – testing Nov 09 '11 at 19:18
-1

Use stripslashes to remove PHP's formatting of your data before storing it.

$text = stripslashes($_POST['data']);
Jim H.
  • 5,539
  • 1
  • 24
  • 23