PHP: Apostrophe's beig escaped automatically on form submit??

[nero120]

What the hey?

I have found that when I submit a form with a text box that contains a string that includes an apostrophe ('), when the string is printed on the submit page that apostrophe is escaped (\')! I didn't tell it to do that as I am not going to be storing this data in a database so why would I want them escaped?

Can someone please tell me why PHP is doing this, it is infuriating.

I whipped up a test page to illustrate, just enter a string with an apostrophe into one or both of the boxes and hit Submit. Then press submit again and watch them grow!:

<html>
<body>
<form name="mainForm" id="mainForm" method="post" action="test.php"><br>
<textarea name="body" rows="8" style="width: 450px;"><? if (isset($_POST['body'])) echo $_POST['body']; ?></textarea><br>
<input name="subject" id="subject" type="text" style="width: 450px;" value="<? if (isset($_POST['subject'])) echo $_POST['subject']; ?>"><br>
<input type="submit" value="submit">
</form>
</body>
</html>

 

[nero120]

Don't worry, i've found out why:

http://uk2.php.net/addslashes

Thanks PHP, that is soooooo helpfull.

 

[Beansprout]

Welcome to magic_quotes(), the most retarded feature of PHP (or was that register_globals)

You need to run everything through stripslashes to fix (undo) it

 

[nero120]

Welcome to magic_quotes(), the most retarded feature of PHP (or was that register_globals)

You need to run everything through stripslashes to fix (undo) it

Wow, thanks php you've just made more work for me!

I can't believe it's all so that flids who can't code properly don't expose their worthless little mysql database that only hold titles of their dvd collection! Wonderful.

 

[Beansprout]

Wow, thanks php you've just made more work for me!

I can't believe it's all so that flids who can't code properly don't expose their worthless little mysql database that only hold titles of their dvd collection! Wonderful.

You can disable it through php.ini if it's your own server

Or you can put this in a globally-included file:

<?php
function remove_magic_quotes($array) {
    foreach ($array as $k => $v) {
        if (is_array($v)) {
            $array[$k] = remove_magic_quotes($v);
        } else {
            $array[$k] = stripslashes($v);
        }
    }
    return $array;
}
if (get_magic_quotes_gpc()) {
    $_GET    = remove_magic_quotes($_GET);
    $_POST   = remove_magic_quotes($_POST);
    $_COOKIE = remove_magic_quotes($_COOKIE);
}
?>

Courtesy of robmiller

 

[nero120]

You can disable it through php.ini if it's your own server

Or you can put this in a globally-included file:

<?php
function remove_magic_quotes($array) {
    foreach ($array as $k => $v) {
        if (is_array($v)) {
            $array[$k] = remove_magic_quotes($v);
        } else {
            $array[$k] = stripslashes($v);
        }
    }
    return $array;
}
if (get_magic_quotes_gpc()) {
    $_GET    = remove_magic_quotes($_GET);
    $_POST   = remove_magic_quotes($_POST);
    $_COOKIE = remove_magic_quotes($_COOKIE);
}
?>

Courtesy of robmiller

Its not my server, Im on tsohost. Will that work if I add the code to file thats included on my submit page?

 

[Beansprout]

Its not my server, Im on tsohost. Will that work if I add the code to file thats included on my submit page?

Yup. remove_magic_quotes() will loop through and correct all the values of an array, and the three lines below it clean $_GET, $_POST (both form methods - you're using post so you only really need that, but should you change to get I guarantee you'll forget to add the line back in ) and $_COOKIE input respectively

 

[nero120]

Yup. remove_magic_quotes() will loop through and correct all the values of an array, and the three lines below it clean $_GET, $_POST (both form methods - you're using post so you only really need that, but should you change to get I guarantee you'll forget to add the line back in ) and $_COOKIE input respectively

Cool, thanks dude ive added it. Just out of interest, if I were to then insert these values into a db, presumably I should run addslashes() on all strings that are to be inserted, right?

 

[Beansprout]

Cool, thanks dude ive added it. Just out of interest, if I were to then insert these values into a db, presumably I should run addslashes() on all strings that are to be inserted, right?

Harhar! So near

www.php.net/mysql_real_escape_string is specifically designed to escape the right bits and bobs and should be used around all variables which will be sent to a database

 

[nero120]

Harhar! So near

www.php.net/mysql_real_escape_string is specifically designed to escape the right bits and bobs and should be used around all variables which will be sent to a database

Ah, I do that anyways!

Thanks for your help!

 

[Dj_Jestar]

You can disable it through php.ini if it's your own server

Or you can put this in a globally-included file:

<?php
function remove_magic_quotes($array) {
    foreach ($array as $k => $v) {
        if (is_array($v)) {
            $array[$k] = remove_magic_quotes($v);
        } else {
            $array[$k] = stripslashes($v);
        }
    }
    return $array;
}
if (get_magic_quotes_gpc()) {
    $_GET    = remove_magic_quotes($_GET);
    $_POST   = remove_magic_quotes($_POST);
    $_COOKIE = remove_magic_quotes($_COOKIE);
}
?>

Courtesy of robmiller

You should put the if() in the function.

Even better still.. only stripslashes on items you want to use instead of anything and everything.

<?php

function remove_magic_quotes($val)
{
    if (get_magic_quotes_gpc()) {
        $val = stripslashes($val);
    }

    return $val;
}

$string = remove_magic_quotes($string);

?>

Portability ***.

 

[Beansprout]

You should put the if() in the function.

/blames rob

 

[robmiller]

/blames rob

It doesn't really matter either way, especially since it's a global include.

Even better still.. only stripslashes on items you want to use instead of anything and everything.

I was always of the attitude that it's better to just reverse everything Magic Quotes adds so you're on an equal playing field regardless of whether Magic Quotes is on or not, but 'tever floats thine boat

 

[Dj_Jestar]

I'm a pedant for 'superflous' code (in quotes because it is, of course, opinion what is superflous or not - my deinfition is either dup'd code, or code that performs unecessary actions, such as modify data/variables I am not going to use)



PHP6 will see the removal of magic_quotes at last (along with register_globals)

 

[Beansprout]

Thing is if you do it only on what you want to use you forget and bash your head over errors.

If you do it across the board then you know you're covered

 

[Dj_Jestar]

Testing soon reminds you, and with magic_quotes being the number one peeve for most php'ers it's not hard to identify within seconds.

Tis just like when escaping data, you just need to remember to do it and doesn't mean you should escape everything

 

[Beansprout]

Too right - but PHP shoudn't be escaping in the first place so undoing is simply resetting the playing field imo, at least in this scenario

 

[robmiller]

Escaping is different, though. It annoys me when people mysql_real_escape_string all input at the top of their script - it's just as bad as Magic Quotes. Removing Magic Quotes is a whole different matter and is, imo, more useful when it's an unconscious process, implicit in your code rather than something you have to do manually.

 

[Augmented]

Just turn it off. You can do it in a .htaccess if you don't have access to your virtualhost/php.ini.

php_flag magic_quotes_gpc off

If you really need maximum portability (i.e. for hosts that don't Allow Overrides), then the runtime undo-magicquotes function is a fair backup choice. I code as if it never existed - but then I know where my code's going to reside.

 

[robmiller]

but then I know where my code's going to reside.

If only we all had that luxury