$_POST and $_GET convert quote( ' ) to backslash + quote ( \' )

Question

I have this code :

<?php  
echo $_GET['user'];
?>

<html >
<head>


</head>
<body>
<form method = "GET"  action="file.php">
    <input type = "text" name = "user"><br> 
    <input type = "submit" value ="submit"><br>
</form>
</body>
</html>  

when I type ' in the textbox it prints out \' instead of '.
for example if I type 'hello' it prints out \'hello\'.
So how can I fix that ??

Answer 1

You should call this function at first.
You don't have to care about backslashes anymore, regardless of your php.ini settings.

function gpc_clean() {

    if (get_magic_quotes_gpc()) {

        $arr = array();
        if (isset($_GET))    $arr[] =& $_GET;
        if (isset($_POST))   $arr[] =& $_POST;
        if (isset($_COOKIE)) $arr[] =& $_COOKIE;
        array_walk_recursive($arr, function (&$v) {
            $v = stripslashes($v);
        });

    }

}

Answer 2

Use this code to have it work regardless of whether the feature is turned on or off:

function remove_magic_quotes($input) {
    if(get_magic_quotes_gpc()) $input= stripslashes($input);
    return $input;
}

Answer 3

The slashes were added because you have magic_quotes_gpc=On in your php.ini. Note that this feature is depreacted and you should turn it off in your php.ini. It was a former security feature but you should not rely on it. Instead write code for yourself that valides all inputs and use prepared statements when you pass inputs to SQL queries or use escapeshellarg() if you pass inputs to shell scripts.

However, use stripslashes() to remove the slashes:

echo stripslashes($_GET['user']);

Answer 4

echo stripslashes($_GET['user']);

Answer 5

It looks like you have magic quotes set in your PHP interpreter. They can be turned off via ini setting.