Why is PHP double escaping this string?

Question

I have an issue that has something to do with the version of PHP.

Here is the raw string passed into the url:

?path=/2013/6/14/1371207330-SBM1_Today\'s Touch Strongsville.xls

In PHP 5.3.21, when I echo $_GET['path'], it returns (wrong):

/2013/6/14/1371207330-SBM1_Today\\\'s Touch Strongsville.xls

In PHP 5.3.15, it returns the correct version (correct):

/2013/6/14/1371207330-SBM1_Today\'s Touch Strongsville.xls

How do I fix this so that the later version of PHP doesn't add the additional escaping?

For Future Readers

The error had nothing to do with the version of PHP, but rather the configuration of two different php installations. In my case, my local version had a php.ini config with magic_quotes off, while the customers shared hosting provider (HostGator) had it turned on.

Answer 1

This was (see comment by IMSoP) one of the horrible features of PHP. It's called "magic quotes" and can be enabled and disabled in the configuration file. Here's an article on disabling it.

In short, put this into your php.ini:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

Answer 2

check if you have magic quotes turned on:

get_magic_quotes_gpc();

If this function returns true then that's the problem, you have to turn it off in php.ini http://php.net/manual/en/security.magicquotes.php