Why do double quotes from the url get escaped into php?

Question

I am GETting the url test.php?value=%22hello%22 and when I print out the value it shows \"hello\" and $_REQUEST['value'][0] is \. Why? How do I fix this (correctly)?

Answer 1

If you can't guarantee the environment to allow reconfiguration, you could use this reusable code to recursively dig through $_GET, $_POST arrays and clean them up with stripslashes:

class de_slasher {

    function recursive_stripslashes($a) {
        $b = array();
        foreach( $a as $k => $v ) {
            $k = stripslashes($k);
            if( is_array($v) ) {
                $b[$k] = $this->recursive_stripslashes($v);
            } else {
                $b[$k] = stripslashes($v);
            }
        }
        return($b);
    }

    function check_and_fix_magic_quotes( &$array ) {
        if( get_magic_quotes_gpc() ) {
            $array = $this->recursive_stripslashes( $array );
        }
    }

    function __construct( $auto = false ) {
        if( $auto === true ) {
            $this->check_and_fix_magic_quotes( $_POST );
            $this->check_and_fix_magic_quotes( $_GET );
        }
    }
}

To use, simply include the class, and invoke $slasher = new de_slasher(true); to automatically clean up $_GET and $_POST. This only happens if magic quotes setting is on. If you instantiate the class without the 'true' parameter, then you can selectively deep-filter any array:

$my_array = array( "name" => "Herbert\'s Apple" );
$slasher = new de_slasher();
$slasher->check_and_fix_magic_quotes( $my_array );

Answer 2

The most likely reason is that you have magic quotes turned on. You should:

• Upgrade to PHP 5.4 or
• disable them in your PHP configuration file or
• disable them in your Apache configuration (same link) or
• (last resort) test to see if they are turned on and then run stripslashes over the input.