Welcome to WebmasterWorld Guest from 174.129.151.95

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP - characters escaping in form data

Changed in the newer versions of PHP?

   
6:46 am on Jul 17, 2002 (gmt 0)

10+ Year Member



Hi everybody,

I've been running a couple PHP sites for a while now that have a lot of form pages for user's to input content into a MySQL DB.

When I first built the site, I implemented some routine functions to escape strings coming from forms (ie. turn ' into \', etc) for DB input, and unescape them for browser display.

It seemed to work for quite a while. Recently though, I've been noticing that _sometimes_ it seems that the form text I am submitting is already being escaped, and so it's getting double escaped when it goes through my function.

I end up with compounded escapes that look like:
Their\\\\\\\\\\\'s
and
it\\\\\\\\'s

Any ideas anybody?

Cheers.

8:33 am on Jul 17, 2002 (gmt 0)

10+ Year Member



Has magic quotes been added to your php setup?
8:37 am on Jul 17, 2002 (gmt 0)

WebmasterWorld Senior Member nick_w is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I'd say that you're probably to blame somewhere with those functions. I've done this exact same thing myself a few times.

Usually turns out to be that you're not stripslashes()'ing the data at some point and then re-inserting/updating your DB.

Go through the code with a fine tooth comb. The answer is more than likely there ;)

Nick

5:31 pm on Jul 17, 2002 (gmt 0)

10+ Year Member



Thanks for the quick replies SmallTime and Nick_W.

I've looked into what you suggested, and think that it must have to do with the "magic_quotes" value, only I can't really find a description of exactly what that does. To test, I've set up a quick script as follows:

<html lang="en">
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post">
<input type="text" name="test" size="20">
<input type="submit" name="submit_form" value="Submit">
</form>
<?php
if (isset($submit_form)) echo "<br>$test";
?>
</body>
</html>

When I run this, and enter "test's" in the form input field, I get "test\'s" as the response. What this is teling me is that the form data submitted is being escaped (add slashes, whatever you call it) without even doing anything with it in PHP. Is that what magic_quotes does?? Or I've wondered if it is somehow just my browser doing that, because I'm not getting any reports from my users about problems....

...and of course if that is the cause, I am going to have to go back over my code to edit it.

Thanks again..

5:48 pm on Jul 17, 2002 (gmt 0)

10+ Year Member




<html lang="en">
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post">
<input type="text" name="test" size="20">
<input type="submit" name="submit_form" value="Submit">
</form>
<?php
if (isset($submit_form)) {
echo stripslashes($test);

}
?>
</body>
</html>

That removes the slashes, this is what nick was suggesting. So when you go to outpt your test wrap it in the stripslashes()
8:00 pm on Jul 17, 2002 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



cbooth,

for more on magic_quotes, see

[php.net...]

Actually, to save you the effort, here's the relevant stuff from that page...

``````````
magic_quotes_gpc boolean

Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

magic_quotes_runtime boolean

If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

magic_quotes_sybase boolean

If magic_quotes_sybase is also on, a single-quote is escaped with a single- quote instead of a backslash if magic_quotes_gpc or magic_quotes_runtime is enabled.