I have a simple PHP script I use to front-end an SQLite database. It's nothing fancy or complex. But I have noticed from looking at the records in the database that anything I enter in a form-field with double-quotes comes across in the form-processing as though I'd escaped the quotes with a backslash. So when I entered a record with the title:
British Light Utility Car 10HP "Tilly"
what shows up in the database is:
British Light Utility Car 10HP \"Tilly\"
I don't know where these are coming from, and what's worse, even using the following preg_replace doesn't seem to remove them:
$name = preg_replace('/\\"/', '"', $_REQUEST['kits_name']);
If I dump out $name, it still bears the unwanted \ characters.
You have most probably magic_quotes_gpc set to on in php.ini. If you want to avoid that and use your own regex, make a check like this:
if (get_magic_quotes_gpc())
{
$mytext = stripslashes($your_text);
}
// and your further code....
This means your server has magic_quotes_gpc enabled.
You can use ini_set() to disable this setting, or you can create a method to filter the $_REQUEST values()
function getRequest($key)
{
$val = $_REQUEST[$key];
if(get_magic_quotes_gpc() == 1) {
$val = stripslashes($val);
}
return $val;
}
echo getRequest('kits_name');
Is it possible magic quotes are enabled on the server?
You probably have magic quotes turned on.
You should disable these as it's bad practice and is deprecated.
View this doc to learn how to disable them.
Well because of lack of good answers.
As they said above, it is because magic quotes on.
You have to get rid of these slashes before inserting your data.
So, to get rid of it you can use either .htaccess (if any) with these settings
php_flag magic_quotes_gpc 0
php_flag magic_quotes_runtime 0
or make it manually, with code like this
if ( get_magic_quotes_gpc( ) ) {
$_GET = array_map_recursive('stripslashes', $_GET) ;
$_POST = array_map_recursive('stripslashes', $_POST) ;
$_COOKIE = array_map_recursive('stripslashes', $_COOKIE) ;
$_REQUEST = array_map_recursive('stripslashes', $_REQUEST) ;
if (isset($_SERVER['PHP_AUTH_USER'])) stripslashes($_SERVER['PHP_AUTH_USER']);
if (isset($_SERVER['PHP_AUTH_PW'])) stripslashes($_SERVER['PHP_AUTH_PW']);
}
if your php version doesn't support array_map_recursive function, you can use a recursive function like this one
function strips(&$el) {
if (is_array($el))
foreach($el as $k=>$v)
strips($el[$k]);
else $el = stripslashes($el);
}
or write your own one
You can use this code co cleanse your existing data
As for
If I dump out $name, it still bears
the unwanted \ characters.
it may be result of wrong use htmlspecialchars function
Related
1.I m a beginner .I want to know that "magic quote" is deprecated , so do I still need to include in my code?
2.urldecode(), urlencode(), htmlentities() etc do I still need to use ?
3.So, below code won't be needed if everything is fine.
/** Check for Magic Quotes and remove them **/
function stripSlashesDeep($value) {
$value = is_array($value) ? array_map(‘stripSlashesDeep’, $value) : stripslashes($value);
return $value;
}
function RemoveMagicQuotes() {
if ( get_magic_quotes_gpc() ) {
$_GET = stripSlashesDeep($_GET );
$_POST = stripSlashesDeep($_POST );
$_COOKIE = stripSlashesDeep($_COOKIE);
}
}
Magic quotes are removed and not useable anymore from PHP 5.3 and later, why? It is up to the programmer to handle and point it where it needs to go. It was meant to be a cure for MySQL injections but failed to do so.
This means that it is up to you that you to sanitize everything that the "user" can put his furry little claws on. This means at the very least: POST, GET and COOKIE requests.
But escaping like magic quotes did was meant to be used in combination with a database. Using PDO escaping is done automatically and you don't have to worry about it (IF properly used of course).
The other functions are still to be used at your own discretion.
I have created a form in my web application which has only a single text field and that field is posted to a PHP page using GET, but I am observing strange behavior. i.e. when I test it on my local server, the text is received as it was written in the text field, but when I upload it to my online server, the received string is escaped automatically means, all single quotes and double quotes are escaped. e.g. If I write It's not true... then on php side I will get
$comment = $_REQUEST["comm"];
print $comment;
//will print It\'s not true... on my online server
//will print It's not true... on my local server
I am yet unable to under stand why is it so? Is there any PHP setting for escaping Query Strings variables automatically?
You have "magic quotes" enabled. They're a terrible misfeature which are luckily being removed in the next version of PHP. The PHP manual has a guide to disabling them.
In short, you need to set the following configuration items to Off in your php.ini file:
magic_quotes_gpc
magic_quotes_runtime
magic_quotes_sybase
Specifically, your problem appears to be with magic_quotes_gpc - the "gpc" portion being short for "GET, POST, and COOKIE" - but it's good practice to keep all of them disabled.
Code will tell you every thing what you need..
function mysql_prep($value) {
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysql_real_escape_string"); // i.e. PHP >= v4.3.0
if ($new_enough_php) { // PHP v4.3.0 or higher
// undo any magic quote effects so mysql_real_escape_string can do the work
if ($magic_quotes_active) {
$value = stripslashes($value);
}
$value = mysql_real_escape_string($value);
} else { // before PHP v4.3.0
// if magic quotes aren't already on then add slashes manually
if (!$magic_quotes_active) {
$value = addslashes($value);
}
// if magic quotes are active, then the slashes already exist
}
return $value;
}
create above function and pass-on values to this function
and then call the values like
$yourVar = mysql_prep($_POST['yourControlName']);
I hope you may get every thing explained via comments...
I think its a setting within the php.ini file. You can call a PHP function to disable it, but by then it's too late.
Okay my hosting company has magic_quotes_gpc turned ON and I coded my PHP script using stripslashes() in preparation of this. But now the hosting company says its going to turn magic_quotes_gpc OFF and I was wondering what will happen now to my data now when stripslashes() is present should I go through all my millions of lines of code and get rid of stripslashes()? or leave the stripslashes() function alone? will leaving the stripslashes() ruin my data?
Your code should use get_magic_quotes_gpc to see if magic quotes are enabled, and only strip slashes if they are. You should run a block of code similar to the following in exactly one place, shared by all your scripts; if you're using stripslashes in multiple places you're doing it wrong.
// recursively strip slashes from an array
function stripslashes_r($array) {
foreach ($array as $key => $value) {
$array[$key] = is_array($value) ?
stripslashes_r($value) :
stripslashes($value);
}
return $array;
}
if (get_magic_quotes_gpc()) {
$_GET = stripslashes_r($_GET);
$_POST = stripslashes_r($_POST);
$_COOKIE = stripslashes_r($_COOKIE)
$_REQUEST = stripslashes_r($_REQUEST);
}
I would start going through and removing stripslashes(). You can do this ahead of time by testing for magic_quotes_gpc and only calling stripslahes() if it is needed.
meagar has the correct answer.
But to traverse the situation, you need something like Notepad++ with a Search within files function. Copy a snippet of meagar's code and search for stripslashes()
This question already has answers here:
Why are $_POST variables getting escaped in PHP?
(6 answers)
Closed 7 years ago.
I have a php page which contains a form.
Sometimes this page is submitted to itself (like when pics are uploaded).
I wouldn't want users to have to fill in every field again and again, so I use this as a value of a text-input inside the form:
value="<?php echo htmlentities(#$_POST['annonsera_headline'],ENT_COMPAT,'UTF-8');?>">
This works, except it adds a "\" sign before every double-quote...
For instance writing 19" wheels gives after page is submitted to itself:
19\" wheels
And if I don't even use htmlentities then everything after the quotes dissappears.
What is the problem here?
UPDATE:
Okay, so the prob is magic_quotes... This is enabled on my server...
Should I disable it? I have root access and it is my server :)
Whats the harm in disabling it?
Looks like you have magic quotes turned on. Use below condition using stripslashes with whatever text you want to process:
if(get_magic_quotes_gpc())
{
$your_text = stripslashes($your_text);
}
Now you can process $your_text variable normally.
Update:
Magic quotes are exaplained here. For well written code there is normally no harm in disabling it.
You likely have magic quotes turned on. You need to stripslashes() it as well.
Nicest way would be to wrap this in a function:
function get_string($array, $index, $default = null) {
if (isset($array[$index]) && strlen($value = trim($array[$index])) > 0) {
return get_magic_quotes_gpc() ? stripslashes($value) : $value;
} else {
return $default;
}
}
Which you can use as
$annonsera_headline = get_string($_POST, 'annonsera_headline');
By the way:
And if I don't even use htmlentities then everything after the quotes dissappears.
It's actually still there in the HTML source, you only don't see it. Do a View Source ;)
Update as per your update: the magic quotes is there to prevent SQL injection attacks in code of beginners. You see this often in 3rd party hosts. If you really know what you're doing in the code, then you can safely turn it off. But if you want to make your code distributable, then you'll really take this into account when gathering request parameters. For this the above function example is perfectly suitable (you only need to write simliar get_boolean(), get_number(), get_array() functions yourself).
Yes, you should disable magic quotes if you can. The feature is deprecated, and will likely go away completely in the future.
If you've relied on magic quotes for escaping data (for instance when inserting it into a database) you will may be opening yourself up to sql injection vulnerabilities if you disable it. You should check all your queries and make sure you're using mysql_real_escape_string().
I include the following file to undo magic quotes in apps that are deployed to servers not under my control.
<?php
set_magic_quotes_runtime(0);
function _remove_magic_quotes(&$input) {
if(is_array($input)) {
foreach(array_keys($input) as $key) _remove_magic_quotes($input[$key]);
}
else $input = stripslashes($input);
}
if(get_magic_quotes_gpc()) {
_remove_magic_quotes($_REQUEST);
_remove_magic_quotes($_GET);
_remove_magic_quotes($_POST);
_remove_magic_quotes($_COOKIE);
}
return true;
?>
This is actually a function of PHP trying to be security conscious, luckily there is an easy fix for it that looks something like this:
if (get_magic_quotes_gpc()) {$var = stripslashes($var);}
There isn't a huge problem in having it enabled, it comes down to personal preference. If you code will be moving servers much and you can't disable it through your php.ini file, it's best to use something as described above.
If you have access to your php.ini file and you want to change it, because you don't want to have to validate it each time you can add the following line to php.ini
magic_quotes_gpc = Off
Or the following to your .htaccess:
php_flag magic_quotes_gpc Off
Hope this helps clear things up.
Looks like your server is setup to use Magic Quotes.
You can fix it by stripping them with stripslashes, or better, by turning off Magic Quotes.
you shouldn't use htmlentities() when writing something to an input field value.
is magic_quotes enabled on your server? try out stripslashes before the output.
I'm trying to figure out why this function does not work correctly.
It's adding an extra \ every time I edit my entries.
Online server has these settings:
magic_quotes_gpc On
magic_quotes_runtime Off
magic_quotes_sybase Off
Here is the code:
function esc($s)
{
if (get_magic_quotes_gpc()) {
if (ini_get('magic_quotes_sybase'))
$s = str_replace("''", "'", $s);
else
$s = stripslashes($s);
} //if
return mysql_real_escape_string($s);
}
Edit note:
I have tried completely removing this function to see what it does... and it does the same thing, so I have realized that addslashes is also use in the code for the same thing.
The extra \ were there because magic_quote was ON
Your function makes little sense. If magic quotes is on (eg. input is escaped), you unescape it. If it's not on, you escape it. So you'll get different results, depending on if you have magic quote on or not.
In any case, relying on magic quotes is a really bad practice. You should:
Disable magic quotes or reverse its effect globally.
Either escape strings when you construct SQL queries or (better) use prepared statements.
Not unescape/strip/whatever anything when you get it back from the database.
You probably want to stripslashes even if magic_quotes_sybase is on:
function esc($s)
{
if (get_magic_quotes_gpc()) {
if (ini_get('magic_quotes_sybase'))
$s = str_replace("''", "'", $s);
$s = stripslashes($s);
} //if
return mysql_real_escape_string($s);
}
You might also want to take a look at PHP's get_magic_quotes_gpc function page, there are several user comments on the page with fairly elegant solutions for ensuring slashes are stripped.
Ok I have fixed the problem. A quick solution for now, I have removed function esc($s).
I changed Magic_Quote to OFF in php.ini.
I'm keeping addslashes solution.