Welcome to WebmasterWorld Guest from 54.162.203.39

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP - characters escaping in form data

Changed in the newer versions of PHP?

     
6:46 am on Jul 17, 2002 (gmt 0)

New User

10+ Year Member

joined:July 4, 2002
posts:16
votes: 0


Hi everybody,

I've been running a couple PHP sites for a while now that have a lot of form pages for user's to input content into a MySQL DB.

When I first built the site, I implemented some routine functions to escape strings coming from forms (ie. turn ' into \', etc) for DB input, and unescape them for browser display.

It seemed to work for quite a while. Recently though, I've been noticing that _sometimes_ it seems that the form text I am submitting is already being escaped, and so it's getting double escaped when it goes through my function.

I end up with compounded escapes that look like:
Their\\\\\\\\\\\'s
and
it\\\\\\\\'s

Any ideas anybody?

Cheers.

8:33 am on July 17, 2002 (gmt 0)

Preferred Member

10+ Year Member

joined:Sept 20, 2001
posts:478
votes: 0


Has magic quotes been added to your php setup?
8:37 am on July 17, 2002 (gmt 0)

Senior Member

WebmasterWorld Senior Member nick_w is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 4, 2002
posts:5044
votes: 0


I'd say that you're probably to blame somewhere with those functions. I've done this exact same thing myself a few times.

Usually turns out to be that you're not stripslashes()'ing the data at some point and then re-inserting/updating your DB.

Go through the code with a fine tooth comb. The answer is more than likely there ;)

Nick

5:31 pm on July 17, 2002 (gmt 0)

New User

10+ Year Member

joined:July 4, 2002
posts:16
votes: 0


Thanks for the quick replies SmallTime and Nick_W.

I've looked into what you suggested, and think that it must have to do with the "magic_quotes" value, only I can't really find a description of exactly what that does. To test, I've set up a quick script as follows:

<html lang="en">
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post">
<input type="text" name="test" size="20">
<input type="submit" name="submit_form" value="Submit">
</form>
<?php
if (isset($submit_form)) echo "<br>$test";
?>
</body>
</html>

When I run this, and enter "test's" in the form input field, I get "test\'s" as the response. What this is teling me is that the form data submitted is being escaped (add slashes, whatever you call it) without even doing anything with it in PHP. Is that what magic_quotes does?? Or I've wondered if it is somehow just my browser doing that, because I'm not getting any reports from my users about problems....

...and of course if that is the cause, I am going to have to go back over my code to edit it.

Thanks again..

5:48 pm on July 17, 2002 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 17, 2002
posts:601
votes: 0



<html lang="en">
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post">
<input type="text" name="test" size="20">
<input type="submit" name="submit_form" value="Submit">
</form>
<?php
if (isset($submit_form)) {
echo stripslashes($test);

}
?>
</body>
</html>

That removes the slashes, this is what nick was suggesting. So when you go to outpt your test wrap it in the stripslashes()
8:00 pm on July 17, 2002 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8471
votes: 222


cbooth,

for more on magic_quotes, see

[php.net...]

Actually, to save you the effort, here's the relevant stuff from that page...

``````````
magic_quotes_gpc boolean

Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

magic_quotes_runtime boolean

If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

magic_quotes_sybase boolean

If magic_quotes_sybase is also on, a single-quote is escaped with a single- quote instead of a backslash if magic_quotes_gpc or magic_quotes_runtime is enabled.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members