I have a form posting data to a php page. Then I have the PHP page echoing the data aswell as posting it to twitter. Whenever In a word with an apostrophe it adds a back-slash right before it. So I type in "I'm going to the park" it echos "I\'m going to the park" what's going on and how do I fix it? Thanx :)
This is caused by magic_quotes, a configuration option you should turn off. See here for good explanations.
you can turn it off in the php.ini or .htaccess
or just get rid in place:
if (get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $_POST['$k'] = stripslashes($v);
add a stripslashes() around the content before submitting it.
magic_quotes_gpc is on.. i'd turn it off in your php.ini or server settings panel (depending on your host)
edited to the, although somewhat painful, support of Col. Shrapnel..
Related
i know this sounds really common and so trivial but , am having a challenge here. I have a web site with Zend/Doctrine and i use ckeditor for the backend management. after uploading the site i've realized that during edit testing the look and feel of the site is messed up.
with the help of firebug, i've seen that there are slashes all over the html. after inline edition, the look and feel came back to normal. There are so many files , i can't think of doing other decoding before outputting data from mysql.
What options do i have to solve this problem. the site is up already and i feel a bit unconfortable about this. Can anyone give a hint? thanks
It might be magic_quotes_gpc. Can you verify that it's turned off?
Here is a way to turn it off:
http://php.net/manual/en/security.magicquotes.disabling.php
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.
Also, are you using prepared statements? PHP PDO/MySQLI will escape automatically for you. Depends on the type of queries you're using.
It seems like you're data is getting double escaped before being inserted into your database. Are you using mysql_real_escape_string or addslashes before inserting data into the database? If so, maybe you want to use stripslashes before you insert your data like so:
mysql_real_escape_string(stripslashes($data));
Or else you could theoretically call stripslashes after you take the data out of the database:
stripslashes($data);
The second approach is less desirable, though. It would be better to have the data properly stored in the database.
I thank every one for the help. Really the accepted solution should be the one from #Stanislav Palatnik . just that it didn't work with my .htaccess. the hosting server was nice enough to put a php.ini in my public_html allowing me to change it. So +1 to #Stanislav Palatnik because he pointed out the issue. i also found interesting information i thought i would share in case someone found himself in my situation.
info from: http://support.godaddy.com/groups/web-hosting/forum/topic/how-to-turn-off-magic_quotes_gpc/
Yes – the solution below worked for me:
(1) First of all do not try to turn off the magic quotes in your .htaccess file, it won’t work on godaddy.
(2) Second, if you’re running PHP5 on your account, rename your php.ini file to php5.ini, make sure it’s in your root folder.
(3) Third, make sure all the lines in your php5.ini file end in a semi colon ;
(4) Fourth, add this line to your php5.ini file:
magic_quotes_gpc = Off;
on the same page someone said it shouldn't be only magic_quotes_gpc only but other ones aswell like shown below:
magic_quotes_gpc = Off;
magic_quotes_runtime = Off;
magic_quotes_sybase = Off;
Hope this helped someone. Special thanks to #Stanislav Palatnik
In case this is a magic quotes problem and as i recall you only having access to your application.ini, you might add the following and give it a try
phpSettings.magic_quotes_gpc = 0
phpSettings.magic_quotes_runtime = 0
This still requires your user / usergroup to be allowed to change default php settings ;)
<?php
if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);}
?>
add this to your php page which has insert/update query :)
I'm trying to get some PHP example code to work on PHP version 5.3.4, Apache 2.2.17 on Windows.
The example says I need PHP 4.0 and above with CURL and contains:
<?
$function = $_GET['function-if-exist'];
$test = "Test";
?>
<? =$test ?>
I don't understand why I'm getting the following errors:
My PHP doesn't understand <? and wants <?PHP instead.
My PHP doesn't like <? =$test ?> and wants something like
<?PHP echo $test ?>
$function = $_GET['function-if-exist']; causes the error "Undefined index" but presumably works for the folks that developed it.
Can anyone help me understand why their code is not working for me?
1) <? is the "short tag". Most servers are configured to not allow short tags. This can be changed in php.ini.
2) Again, short tags. Also I think you can't have a space before the =, but the main problem is the short tags setting.
3) $_GET accesses the query string, so when loading your script you need myscript.php?function-if-exist=something
It is more ideal to check if the parameter is set before continuing to prevent errors being thrown, e.g.
if(isset($_GET['function-if-exist']))
{
$functionexists = $_GET['function-if-exist'];
}
the short tag notation is disabled in your php.ini
you need to remove the space before your equal sign
your _get array contains not the expected index, what url do you enter to access the page?
I don't understand why I'm getting the following errors:
My PHP doesn't understand
To be able to use short tags you will have to enable them via config ... http://www.tomjepson.co.uk/tutorials/35/enabling-short-tags-in-php.html
My PHP doesn't like and wants something like
Once you switch on the short tags you will be able to echo using ... important the equals signs must be touching the ? not variable.
$function = $_GET['function-if-exist']; causes the error "Undefined index" but presumably works for the folks that developed it.
The $_GET is populated according to what is in the url. To get a value in $_GET['function-if-exist'] the url accessing the script should be something like mydemo.php?function-if-exist=hello
Hope this helps you
Quick answers to 1 and 2 are enable the short_open_tag option into the php.ini file, for the last one is set the error_reporting to a less strict mode.
The reasons of not to adopt such measures are:
the short tag clashes with the xml declaration and is disabled on different host, if you need to manipulate xml or if you need to write portable code is better to resort to the long tag syntax. You lose the ability to echoing data with = but it is a small annoyance to me.
Warning and notices, as php forgive a lot the programmer for missing variables declaration are a blessing for debug. Keep then raised and you will address a lot of mispellings.
Are you sure that function-if-exist is a correct index for your hash? I would check the index first the access them. If the index don't exists is a probable hint that something is going wrong with your code and you should check the reason of the missing.
Better to stop now, as anyone can write a book on this topic, and several ones already done ;)
in my local hosting the script doesn't work, if i wrote <? instead of <?php.
what i must change in php.ini to correct it?
Thanks
http://php.net/manual/en/ini.core.php
short_open_tag
Is the property you seek.
It is:
short_open_tag
Make sure to read:
PHP Short Open Tag: Convenient Shortcut or Short Changing Security?
It's already been said how to do it, but I'm just saying that it might not be such a great idea. Almost anyone you ask will tell you not to use short tags. Unless you have a specific reason to use short tags, you should just type <?php. It's only 3 more characters.
this is my php code:
<html><body>Hey!: <?= "World";?></body></html>
It just prints "Hey!:" Whats wrong with my code?
Short tags (which you're using here) can be turned on or off depending on the server you're running the code on. If it's your server, look in php.ini
You need to set short_open_tag to 1
http://php.net/manual/en/ini.core.php
Does your file end in .php and will it execute as php on your webserver? add
<?php echo "yes I run php!<br>\n"; ?>
to your file to be sure. View source to see what happened to the php tags. Then maybe switch on short tags as the other answers told you to.
$_GET['search'] = ucfirst(strtolower(str_replace("_"," ",urldecode($_GET['search']))));
For some reason it's adding slashes into the string similar to mysqL_escape_string, anyone got any ideas what would be causing it?
You have most probably magic_quotes_gpc set to on in php.ini. If you want to avoid that, make a check like this:
if (get_magic_quotes_gpc())
{
$mytext = stripslashes($your_text);
}
// and your further code....
Check to see if magic_quotes_gpc is enabled on your server. If this is enabled, PHP automatically escapes anything from _GET _POST or _COOKIES.
See: http://php.net/manual/en/security.magicquotes.php
It sounds like magic_quotes_gpc is turned on. You can get the setting with get_magic_quotes_gpc().