I send this string in a GET request
{"foo":[{"bo1":"*","bob":"*"}]}
but get it in PHP as
{\"foo\":[{\"bo1\":\"*\",\"bob\":"\*\"}]}
How do I get it as {"foo":[{"bo1":"*","bob":"*"}]} sending it as part of a query string (or how do I send it via GET method to get it properly)? (Note: I cannot clean it as I have no control over server side.)
Disable magic_quotes: it's deprecated. If you can't, you can always use stripslashes on the input:
$goodStr = stripslashes($_GET['badStr']);
Your php config have enabled magic_quotes_gpc, which causes automatic escaping of quotes and double quotes in all _GET, _POST, and _COOKIE superglobals.
If you do not need it, turn it off. If you do, then you should probably rewrite the code which relies on this behaviour, as it is depreciated, and will be removed in future verions of php.
You should turn it of in php.ini if possible.
Anyway, if you, for some reasons, cannot turn off this just use stripslashes($your_json);
If the server runs on Apache, create a file called .htaccess in the site root (the leading period is part of the filename). Put the following code in the file:
php_flag magic_quotes_gpc Off
Otherwise, you'll need to use stripslashes() every time.
Related
When I send json data from action script 3 to php using URLVariables, the json string changes and cannot be used as json inside php. How to prevent this happening? Or how to fix it?
trace from Flash(send moethod POST, variable name myObject):
[{"data1":"value1","data2":"value2",...},{...},...]
echo $_POST['myObject'] from PHP:
[{\"data1\":\"value1\",\"data2\":\"value2\",...},{...},...]
echo json_decode($_POST['myObject']) from PHP is nothing, when var_dump(json_decode($_POST['myObject']):
NULL
The server automatically escape the POST data (As I remember it is an option in php.ini).
To unescape , use stripslashes function, and after decode your string ;)
json_decode(stripslashes($_POST['myObject']));
Based on #therefromhere 's comment, a better solution to set magic_quotes_gpc off.
You can do this if you have a root access for the server, or you have permission to set php flags at runtime.
Here is some help for this:
http://php.net/manual/en/security.magicquotes.disabling.php
Based on #nl-x 's comment if you want to solve this problem, undepended from your server configuration:
$myObject = get_magic_quotes_gpc() ? //Examine: is magic quotes gpc on?
stripslashes($_POST['myObject']) : //if true: unescape the string
$_POST['myObject']; //if false, do nothing
json_decode($myObject);
//When php 5.3 or earlier installed on server
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Why are escape characters being added to the value of the hidden input
So, I have a file called Save.php.
It takes two things: a file, and the new contents.
You use it by sending a request like '/Resources/Save.php?file=/Resources/Data.json&contents={"Hey":"There"}'.
..but of course, encoding the url. :) I left it all unencoded for simplicity and readability.
The file works, but instead of the contents being..
{"Hey":"There"}
..I find..
{\"Hey\":\"There\"}
..which of course throws an error when trying to use JSON.parse when getting the JSON file later through XHR.
To save the contents, I just use..
file_put_contents($url, $contents);
What can I do to get rid of the backslashes?
Turn magic_quotes off in PHP.ini.
Looks like you have magic_quotes turned on.
If that is the case, either turn it off - Or use a runtime disabling function
Try this:
file_put_contents($url, stripslashes($contents));
you probably have magic quotes enabled, only two things you can do. disable magic quotes in your php.ini or call stripslashes() on $_GET and $_POST globals.
FYI, use $_GET['contents'] as opposed to $contents; newer versions of php will not create the $contents var.
You should disable magic_quotes in your php.ini configuration file. However if this is not possible you can also use the stripslashes() function to get rid of the automatic escaping.
If you can not get magic quotes switched off for your server, then you need to check if it is switched on using get_magic_quotes_gpc() and if it is true, stripslashes().
im letting my users type in texts, then take them to server side php and process them, and if everything goes as it should, i just append the text with jquery without the page having to load all over again.
This is the procedure:
$post_text = htmlspecialchars(mysql_real_escape_string($_POST['post_text']));
some logic...
everything ok!
stripslashes(str_replace("\\n", "", $post_text))
and then i send all the nessesary data witj json
echo json_encode($return);
on the client side i append the html chunk saved in a variable from the server side.
this seems to work on localhost, it removes all the slashes and so on, but online it just doenst remove the slashes, and they keep coming up, when i hit refresh they dissapear becouse then its a
stripslashes($comment['statusmsg_text'])
written out with php straight from the database. Is it the json that adds some extra stuff? i dont get it becouse it works perfectly on localhost.
best of regards,
alexander
The additional slashes might be magic quotes. You shouldn’t rely on them and disable them.
Additionally, mysql_real_escape_string should only be used to prepare strings to be put into a string context in an MySQL statement. Similar applies to htmlspecialchars that should only be used for sanitizing data to be put into an HTML context.
It may be, that on your server and your localhost the magic_quotes_gpc directive is set differently, so your string is double encoded on server side.
Try it without stripslashes, json_encode should handle that. All you need to do is use mysql_real_escape once, before your string touches your database.
Got an odd situation here. On my local mysql database (v5.1.41), I am required to use this escape command if I am to handle users' quotation syntaxs without any problems. However I cannot use this command on my web server's mysql database (v5.0.91-community). If this command is used on the web server (apache v2.2.13), an extra slash syntax is added to the user's quotation syntax, thus if I remove the mysql_real_escape_string command, inputs with quotation marks will have no problems being inserted into the database.
So I was wondering, apart from php, is there a setting within apache (v2.2.13) or within mysql itself that can automatically deal with quotation syntax such as PHP's mysql_real_escape_string command?
Thank you in advance
This is probably due to Magic Quotes. Disable or remove them, they are a well-meant but also annoying feature.
It means the php setting magic_quotes_gpc is enabled on the server. It's deprecated, and there's a way to work around it - by removing the slashes at the beginning of your code:
<?php
if (get_magic_quotes_gpc()) {
function magicQuotes_awStripslashes(&$value, $key) {$value = stripslashes($value);}
$gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
array_walk_recursive($gpc, 'magicQuotes_awStripslashes');
}
I'd recommand you to use filter_input to get your user data as it does not care about magic_quotes, and parameterized queries to do your database job (see mysqli or PDO).
Today I run into some oddity with PHP, which I fail find a proper explanation for in the documentation. Consider the following code:
<?php
echo $_GET['t']. PHP_EOL;
?>
The code is simple - it takes a single t parameter on the url and outputs it back. So if you call it with test.php?t=%5Ca (%5c is a '\'), I expected to see:
\a
However, this is what I got:
$ curl http://localhost/~boaz/test.php?t=%5Ca
\\a
Notice the double slash. Can anyone explains what's going on and give recipe for retrieving the strings as it was supplied on the URL?
Thanks,
Boaz
PS. I'm using PHP 5.2.11
This happens, because you have the "magic quotes" switch in php.ini switched on. From the manual:
When on, all ' (single-quote), "
(double quote), \ (backslash) and NULL
characters are escaped with a
backslash automatically. This is
identical to what addslashes() does.
Read more about it here: http://php.net/manual/en/security.magicquotes.php
To make your script aware of any value of the "magic_quotes_gpc" setting in php.ini, you can write your script like this:
$d = $_GET["d"];
if (get_magic_quotes_gpc()) $d = stripslashes($d);
echo $d; //but now you are kind of vulnerable to SQL injections
//if you don't properly escape this value in SQL queries.
You can easily fix this using the strip_slashes() function. You should avoid magic quotes; they've been deprecated for security reasons.
open .htaccess file and put something like this
php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off