so I have a field you can type in. After you type you press ok, and it will send an ajax call to save.php and it inserts into the database (with php), and then output what you have type. And then ajax call on succes grabs the output and alerts it ( success: function(msg){ alert(msg) } ). the response is in html. Works good until i use ' or " in the field. example if i write: 'asdadsasd" it turns out: \'asdadsasd\" How can I fix this? Dont know if it matters, but in save.php I have: header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past header('Content-type: text/html; charset=utf-8'); And it outputs the message like this: echo htmlspecialchars(strip_tags($message), ENT_QUOTES, 'utf-8');

Reputation: 18103

' " turns out as \' and \"

so I have a field you can type in. After you type you press ok, and it will send an ajax call to save.php and it inserts into the database (with php), and then output what you have type. And then ajax call on succes grabs the output and alerts it (success: function(msg){ alert(msg) }). the response is in html.

Works good until i use ' or " in the field. example if i write: 'asdadsasd" it turns out: \'asdadsasd\" How can I fix this?

Dont know if it matters, but in save.php I have:

header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
header('Content-type: text/html; charset=utf-8');

And it outputs the message like this:

echo htmlspecialchars(strip_tags($message), ENT_QUOTES, 'utf-8');

Upvotes: 4

Answers (4)

Will Vousden

Reputation: 33348

This is most likely due to PHP's exceptionally ~~helpful~~ irritating "magic quotes" feature. Magic quotes automatically inserts slashes before single and double quotes in incoming data provided by the user agent (i.e. in $_GET, $_POST, and $_COOKIE, or "GPC") in a vague attempt at providing some security for those who don't realize the hazards of unescaped user input.

As a matter of course, you should always check for magic quotes using get_magic_quotes_gpc before you attempt to use any GPC data. If it's enabled, simply call stripslashes on your input before using it.

I use something similar to this at the beginning of any script I write:

function cleanInput($input)
{
    if (is_array($input))
    {
        foreach ($input as &$value)
        {
            $value = cleanInput($value);
        }

        return $input;
    }
    else
    {
        return stripslashes($input);
    }
}

if (get_magic_quotes_gpc())
{
    $_GET = cleanInput($_GET);
    $_POST = cleanInput($_POST);
    $_COOKIE = cleanInput($_COOKIE);
    $_REQUEST = cleanInput($_REQUEST);
}

Upvotes: 2