CODEWITHSUNDEEP
php
rjray
rjray

Reputation: 6653

Baffled by PHP escaping of double-quotes in HTML forms

I have a simple PHP script I use to front-end an SQLite database. It's nothing fancy or complex. But I have noticed from looking at the records in the database that anything I enter in a form-field with double-quotes comes across in the form-processing as though I'd escaped the quotes with a backslash. So when I entered a record with the title:

British Light Utility Car 10HP "Tilly"

what shows up in the database is:

British Light Utility Car 10HP \"Tilly\"

I don't know where these are coming from, and what's worse, even using the following preg_replace doesn't seem to remove them:

$name = preg_replace('/\\"/', '"', $_REQUEST['kits_name']);

If I dump out $name, it still bears the unwanted \ characters.

Upvotes: 3

Views: 285

Answers (5)

Your Common Sense
Your Common Sense

Reputation: 157839

Well because of lack of good answers.
As they said above, it is because magic quotes on.
You have to get rid of these slashes before inserting your data. So, to get rid of it you can use either .htaccess (if any) with these settings

php_flag magic_quotes_gpc 0
php_flag magic_quotes_runtime 0

or make it manually, with code like this

if ( get_magic_quotes_gpc( ) ) {
  $_GET = array_map_recursive('stripslashes', $_GET) ;
  $_POST = array_map_recursive('stripslashes', $_POST) ;
  $_COOKIE = array_map_recursive('stripslashes', $_COOKIE) ;
  $_REQUEST = array_map_recursive('stripslashes', $_REQUEST) ;
  if (isset($_SERVER['PHP_AUTH_USER'])) stripslashes($_SERVER['PHP_AUTH_USER']); 
  if (isset($_SERVER['PHP_AUTH_PW'])) stripslashes($_SERVER['PHP_AUTH_PW']);
}

if your php version doesn't support array_map_recursive function, you can use a recursive function like this one

function strips(&$el) { 
  if (is_array($el)) 
    foreach($el as $k=>$v) 
      strips($el[$k]); 
  else $el = stripslashes($el); 
}

or write your own one You can use this code co cleanse your existing data

As for

If I dump out $name, it still bears the unwanted \ characters.

it may be result of wrong use htmlspecialchars function

Upvotes: 0

Sarfraz
Sarfraz

Reputation: 382656

You have most probably magic_quotes_gpc set to on in php.ini. If you want to avoid that and use your own regex, make a check like this:

if (get_magic_quotes_gpc())
{
   $mytext = stripslashes($your_text);
}

// and your further code....

Upvotes: 5

Ben Rowe
Ben Rowe

Reputation: 28691

This means your server has magic_quotes_gpc enabled.

You can use ini_set() to disable this setting, or you can create a method to filter the $_REQUEST values()

function getRequest($key)
{
  $val = $_REQUEST[$key];
  if(get_magic_quotes_gpc() == 1) {
    $val = stripslashes($val);
  }
  return $val;
}

echo getRequest('kits_name');

Upvotes: 3

webbiedave
webbiedave

Reputation: 48897

You probably have magic quotes turned on.

You should disable these as it's bad practice and is deprecated.

View this doc to learn how to disable them.

Upvotes: 2

Billy ONeal
Billy ONeal

Reputation: 106530

Is it possible magic quotes are enabled on the server?

Upvotes: 2

Related Questions