PHP: Apostrophe's beig escaped automatically on form submit??

Soldato
Joined
12 Jan 2004
Posts
6,824
Location
Londinium
What the hey?

I have found that when I submit a form with a text box that contains a string that includes an apostrophe ('), when the string is printed on the submit page that apostrophe is escaped (\')! I didn't tell it to do that as I am not going to be storing this data in a database so why would I want them escaped?

Can someone please tell me why PHP is doing this, it is infuriating.

I whipped up a test page to illustrate, just enter a string with an apostrophe into one or both of the boxes and hit Submit. Then press submit again and watch them grow!:

Code:
<html>
<body>
<form name="mainForm" id="mainForm" method="post" action="test.php"><br>
<textarea name="body" rows="8" style="width: 450px;"><? if (isset($_POST['body'])) echo $_POST['body']; ?></textarea><br>
<input name="subject" id="subject" type="text" style="width: 450px;" value="<? if (isset($_POST['subject'])) echo $_POST['subject']; ?>"><br>
<input type="submit" value="submit">
</form>
</body>
</html>
 
Beansprout said:
Welcome to magic_quotes(), the most retarded feature of PHP (or was that register_globals) :D

You need to run everything through stripslashes to fix (undo) it :)

Wow, thanks php you've just made more work for me! :mad:

I can't believe it's all so that flids who can't code properly don't expose their worthless little mysql database that only hold titles of their dvd collection! Wonderful.
 
Beansprout said:
You can disable it through php.ini if it's your own server :)

Or you can put this in a globally-included file:

Code:
<?php
function remove_magic_quotes($array) {
    foreach ($array as $k => $v) {
        if (is_array($v)) {
            $array[$k] = remove_magic_quotes($v);
        } else {
            $array[$k] = stripslashes($v);
        }
    }
    return $array;
}
if (get_magic_quotes_gpc()) {
    $_GET    = remove_magic_quotes($_GET);
    $_POST   = remove_magic_quotes($_POST);
    $_COOKIE = remove_magic_quotes($_COOKIE);
}
?>
Courtesy of robmiller :cool:

Its not my server, Im on tsohost. Will that work if I add the code to file thats included on my submit page?
 
Beansprout said:
Yup. remove_magic_quotes() will loop through and correct all the values of an array, and the three lines below it clean $_GET, $_POST (both form methods - you're using post so you only really need that, but should you change to get I guarantee you'll forget to add the line back in :D) and $_COOKIE input respectively :)

Cool, thanks dude ive added it. Just out of interest, if I were to then insert these values into a db, presumably I should run addslashes() on all strings that are to be inserted, right?
 
Back
Top Bottom