For example
I use
$content = nl2br($_POST['content']);
and when I type in something like this in my form
"I'll be going to the office today"
It'll return
"I\'ll be going to the office today"
Is there a way I can remove the \'s? or am I using the nl2br function wrong?
nl2br() does no such thing! You have magic quotes on. Turn them off.
I'm guessing you're getting information via a POST or GET; try something like this:
<?php
if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
}
?>
More information on the PHP manual
Try to use stripslashes( $content ).
Related
for example:
$value_array = array("fu" => "bar", "banana" => "apple");
for example:
echo $value_array["fu"]; # output will be bar
okay, i have this value:
$value = "fuu:bar:12:apple";
okay, i'd like to parse the $value and write "bar" value to the screen, but i don't know how i can do this job.
umm, why delimit by :? It'd be a lot easier with fuu:bar;12:apple but to go with what you have...
$value = explode(':',$value);
$values = array();
foreach ($value as $k => $v) {
if ($k %2 != 0)
$values[$value[($k - 1)]] = $v;
}
Try using explode function.
$bar_val = explode(":", $value);
echo $bar_val[1];
Demo: http://codepad.org/pyoyfk8n
I'm really confused here, can someone explain this to me?
request:
http://example.com/test.php?var=String's
$a = $_GET["var"];
$b = "String's";
echo $a . "<br/>";
echo $b . "<br/>";
$output = mysql_real_escape_string($a);
$output = mysql_real_escape_string($b);
echo "<hr/>";
echo $a . "<br/>";
echo $b . "<br/>";
result:
String\'s
String's
----------------
String\'s
String's
Could someone explain to me not only why my GET variable is being transformed like this, but how I can remove this behavior such that my input is exactly as it was sent? I'm having an issue where my SQL wrapper passes this through mysql_real_escape_string() and ends up being String\\\'s :(
It's called "magic quotes".
You can and should disable magic quotes.
prefered mode
set them off in php.ini
.htaccess mode
add this to your htaccess file
php_flag magic_quotes_gpc off
php5 runtime mode
<?php
if (get_magic_quotes_gpc()) {
function stripslashes_gpc(&$value)
{
$value = stripslashes($value);
}
array_walk_recursive($_GET, 'stripslashes_gpc');
array_walk_recursive($_POST, 'stripslashes_gpc');
array_walk_recursive($_COOKIE, 'stripslashes_gpc');
array_walk_recursive($_REQUEST, 'stripslashes_gpc');
}
?>
php4 runtime mode
<?php
if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
}
?>
Welcome to the magic_quotes hater's club! :)
You probably have magic quotes turned on. This automatically escapes GET, POST and COOKIE data. Magic quotes is bad and should not be relied upon to properly escape data.
If you have access to php.ini, you can turn magic quotes off.
If you don't, you can run stripslashes on the data to remove the slashes. In order to make your code portable, you should first check get_magic_quotes_gpc() to see if it is turned on and only then run stripslashes. In this way, if you move your code to a server that has magic quotes turned off, your code will still work.
if(get_magic_quotes_gpc()) {
$a = stripslashes($_GET["var"]);
}
else $a = $_GET["var"];
So basically when I type something with an apostrophe, such as John's bike it will echo John\'s bike. The code below:
<?php
$searchname = $_POST["name"] ;
echo "$searchname";
My form uses the POST method. Is there any way to stop this?
Also to make input case insensitive how would I go about in this segment?
$searchsport = $_POST['sport'];
$sportarray = array(
"Football" => "Fb01",
"Cricket" => "ck32",
"Tennis" => "Tn43",
);
if(isset($sportarray[$searchsport])){
header("Location: ".$sportarray[$searchsport].".html");
die;
}
//what code is needed to make the if statement work? I've looked up some weird ways such as using array_change_key_case (which I clearly don't understand).
This is most likely because you have magic quotes turned on, try this:
if (get_magic_quotes_gpc())
{
$searchname = stripslashes($_POST["name"]);
echo "$searchname";
}
else
{
$searchname = $_POST["name"];
echo "$searchname";
}
In fact, you could create a function instead to do it automatically for you:
function fixIt($str)
{
if (is_array($str))
{
foreach ($str as &$value)
{
$value = fixIt($value);
}
return $str;
}
else
{
return stripslashes($str);
}
}
And then you can simply do:
$searchname = fixIt($_POST["name"]);
echo $searchname;
Note: You can also disable the ugly magic quotes from php.ini as they are problematic and rightly deprecated and out of the future versions of PHP.
There are a few ways.
Turn off magic_quotes_gpc in php.ini
magic_quotes_gpc = 0
In the beginning of the request, run stripslashes
if (get_magic_quotes_gpc() && !function_exists('FixMagicQuotesGpc')) {
function FixMagicQuotesGpc($data) {
if (is_array($data)) {
foreach ($data as &$value) {
$value = FixMagicQuotesGpc($value);
}
return $data;
} else {
return stripslashes($data);
}
}
$_GET = FixMagicQuotesGpc($_GET);
$_POST = FixMagicQuotesGpc($_POST);
$_REQUEST = FixMagicQuotesGpc($_REQUEST);
}
EDIT: Added the !function_exists part. This way, you don't need to worry if you ran it before, it'll just skip it if it's already been run (by another file, etc)
This is controlled by the magic_quotes_gpc configuration variable. It really is annoying (and deprecated!).
You should turn it off in php.ini, or ask your web host if they can do something about it.
If they can't, you can use addslashes and stripslashes to manually escape/un-escape. Beware, though - you should use something more secure than addslashes for submitting to a database. mysql_real_escape_string is a better option, or the function specific to your database:
mysqli_escape_string
sqlite_escape_string
a bigger list
I include the following script within my config file to fix magic quotes if necessary. That way I don't have to worry about the magic quotes settings of the host.
<?php
set_magic_quotes_runtime(0);
function _remove_magic_quotes(&$input) {
if(is_array($input)) {
foreach(array_keys($input) as $key) _remove_magic_quotes($input[$key]);
}
else $input = stripslashes($input);
}
if(get_magic_quotes_gpc()) {
_remove_magic_quotes($_REQUEST);
_remove_magic_quotes($_GET);
_remove_magic_quotes($_POST);
_remove_magic_quotes($_COOKIE);
}
return true;
?>
Magic Quotes... I'll be so happy when PHP 6 finally arrives and removes this monster of incompatibility.
The best solution is to turn it off in php.ini by setting
magic_quotes_gpc = Off
If you don't have access to php.ini but are using Apache, you can also disable it in an .htaccess file:
php_flag magic_quotes_gpc Off
The last ditch scenario is to disable it in your application. the PHP Manual's Disabling Magic Quotes page suggests using this:
<?php
if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
}
?>
As you know when Magic Quotes are ON, single quotes are escaped in values and also in keys. Most solutions to remove Magic Quotes at runtime only unescape values, not keys. I'm seeking a solution that will unescape keys and values...
I found out on PHP.net this piece of code:
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process))
{
foreach ($val as $k => $v)
{
unset($process[$key][$k]);
if (is_array($v))
{
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
}
else
{
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
But I don't like "&" references and arrays as I got bugs like this one in the past...
Is there a "better" way to unescape Magic Quotes (keys and values) at runtime than the one above?
I think this is a little cleaner and avoids reference bugs:
function unMagicQuotify($ar) {
$fixed = array();
foreach ($ar as $key=>$val) {
if (is_array($val)) {
$fixed[stripslashes($key)] = unMagicQuotify($val);
} else {
$fixed[stripslashes($key)] = stripslashes($val);
}
}
return $fixed;
}
$process = array($_GET,$_POST,$_COOKIE,$_REQUEST);
$fixed = array();
foreach ($process as $index=>$glob) {
$fixed[$index] = unMagicQuotify($glob);
}
list($_GET,$_POST,$_COOKIE,$_REQUEST) = $fixed;
array_walk_recursive($_POST, 'stripslashes');
Do the same for GET and COOKIE.
I'm writing a app that needs to be portable. I know I should disable magic quotes on the PHP configuration but in this case I don't know if I can do that, so I'm using the following code:
if (get_magic_quotes_gpc() === 1)
{
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process))
{
foreach ($val as $k => $v)
{
unset($process[$key][$k]);
if (is_array($v))
{
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
}
else
{
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
}
To simplify the process of disabling magic quotes I had the following idea:
if (get_magic_quotes_gpc() === 1)
{
foreach (array('GET', 'POST', 'COOKIE', 'REQUEST') as $array)
{
${'_'.$array} = unserialize(stripslashes(serialize(${'_'.$array})));
}
}
But I tried and I got an error I'm unable to understand, for instance with ?name=O'Reilly:
serialize($_GET); // a:1:{s:4:"name";s:9:"O\'Reilly";}
stripslashes(serialize($_GET)); // a:1:{s:4:"name";s:9:"O'Reilly";}
But unserialize(stripslashes(serialize($_GET))) gives me this weird error:
Notice: unserialize(): Error at offset 30 of 32 bytes
EDIT: Due to the length attribute in serialize() I changed the code to use JSON functions:
if (get_magic_quotes_gpc() === 1)
{
foreach (array('GET', 'POST', 'COOKIE', 'REQUEST') as $array)
{
${'_' . $array} = json_decode(stripslashes(json_encode(${'_' . $array})), true);
}
}
However now the $_GET array is coming up empty, can anyone explain me why?
I don't think the second version will work. Serialized strings are stored along with their length, if you are removing characters, you would need to update that length value. I would rather implement it this way to improve readability:
function strip_slashes_recursive(&$value) {
if (!is_array($value)) {
$value = strip_slashes($value);
} else {
foreach (array_keys($value) as $key) {
$arrayValue = strip_slashes_recursive($value[$key]);
unset($value[$key]);
$value[strip_slashes($key)] = $arrayValue;
}
}
}
foreach (array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST) as &$array) {
strip_slashes_recursive($array);
}
// don't forget to unset references or it can lead to very nasty bugs
unset($array);
Solved it, I had to use the JSON_HEX_APOS flag in json_encode():
if (get_magic_quotes_gpc() === 1)
{
$_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
}
Before (mqgpc.php?name[got'cha]=O'Reilly):
Array
(
[name] => Array
(
[got\'cha] => O\'Reilly
)
)
After (mqgpc.php?name[got'cha]=O'Reilly):
Array
(
[name] => Array
(
[got'cha] => O'Reilly
)
)
I usually solve that problem this way:
function smagic($params){
if(get_magic_quotes_gpc()){
if(!is_array($params))
return stripslashes($params);
else
return array_combine( array_map('stripslashes',array_keys($params)), array_map('smagic',array_values($params)) );
}
}
And then, for $_GET:
$_GET = smagic($_GET);