homepage Welcome to WebmasterWorld Guest from 54.226.191.80
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
PHP - characters escaping in form data
Changed in the newer versions of PHP?
cbooth7575




msg:1261519
 6:46 am on Jul 17, 2002 (gmt 0)

Hi everybody,

I've been running a couple PHP sites for a while now that have a lot of form pages for user's to input content into a MySQL DB.

When I first built the site, I implemented some routine functions to escape strings coming from forms (ie. turn ' into \', etc) for DB input, and unescape them for browser display.

It seemed to work for quite a while. Recently though, I've been noticing that _sometimes_ it seems that the form text I am submitting is already being escaped, and so it's getting double escaped when it goes through my function.

I end up with compounded escapes that look like:
Their\\\\\\\\\\\'s
and
it\\\\\\\\'s

Any ideas anybody?

Cheers.

 

SmallTime




msg:1261520
 8:33 am on Jul 17, 2002 (gmt 0)

Has magic quotes been added to your php setup?

Nick_W




msg:1261521
 8:37 am on Jul 17, 2002 (gmt 0)

I'd say that you're probably to blame somewhere with those functions. I've done this exact same thing myself a few times.

Usually turns out to be that you're not stripslashes()'ing the data at some point and then re-inserting/updating your DB.

Go through the code with a fine tooth comb. The answer is more than likely there ;)

Nick

cbooth7575




msg:1261522
 5:31 pm on Jul 17, 2002 (gmt 0)

Thanks for the quick replies SmallTime and Nick_W.

I've looked into what you suggested, and think that it must have to do with the "magic_quotes" value, only I can't really find a description of exactly what that does. To test, I've set up a quick script as follows:

<html lang="en">
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post">
<input type="text" name="test" size="20">
<input type="submit" name="submit_form" value="Submit">
</form>
<?php
if (isset($submit_form)) echo "<br>$test";
?>
</body>
</html>

When I run this, and enter "test's" in the form input field, I get "test\'s" as the response. What this is teling me is that the form data submitted is being escaped (add slashes, whatever you call it) without even doing anything with it in PHP. Is that what magic_quotes does?? Or I've wondered if it is somehow just my browser doing that, because I'm not getting any reports from my users about problems....

...and of course if that is the cause, I am going to have to go back over my code to edit it.

Thanks again..

Knowles




msg:1261523
 5:48 pm on Jul 17, 2002 (gmt 0)


<html lang="en">
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post">
<input type="text" name="test" size="20">
<input type="submit" name="submit_form" value="Submit">
</form>
<?php
if (isset($submit_form)) {
echo stripslashes($test);

}
?>
</body>
</html>

That removes the slashes, this is what nick was suggesting. So when you go to outpt your test wrap it in the stripslashes()

ergophobe




msg:1261524
 8:00 pm on Jul 17, 2002 (gmt 0)

cbooth,

for more on magic_quotes, see

[php.net...]

Actually, to save you the effort, here's the relevant stuff from that page...

``````````
magic_quotes_gpc boolean

Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

magic_quotes_runtime boolean

If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

magic_quotes_sybase boolean

If magic_quotes_sybase is also on, a single-quote is escaped with a single- quote instead of a backslash if magic_quotes_gpc or magic_quotes_runtime is enabled.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved