$_GET['search'] = ucfirst(strtolower(str_replace("_"," ",urldecode($_GET['search']))));
For some reason it's adding slashes into the string similar to mysqL_escape_string, anyone got any ideas what would be causing it?
You have most probably magic_quotes_gpc set to on in php.ini. If you want to avoid that, make a check like this:
if (get_magic_quotes_gpc())
{
$mytext = stripslashes($your_text);
}
// and your further code....
Check to see if magic_quotes_gpc is enabled on your server. If this is enabled, PHP automatically escapes anything from _GET _POST or _COOKIES.
See: http://php.net/manual/en/security.magicquotes.php
It sounds like magic_quotes_gpc is turned on. You can get the setting with get_magic_quotes_gpc().
Related
I have recently been switching all of my old mysql_query calls to PDO's. I've encountered an issue that wasn't present in the mysql_query configuration. When I try to input a variable into a database with quotations, It appears as escapes in my database. I have disables magic quotes in my php.ini file.
$myString = "Enter 'one' now";
$sql=$pdo->prepare("UPDATE $tbl_name SET string=:myString WHERE etc...);
$sql->execute(array(':myString' => $myString));
This updates to
Enter \'one\' now
What I need is
Enter 'one' now
This wasn't happening before I switched to PDO. Is there a way around this without losing security?
Thanks!
You have magic quotes enabled on your server, the PHP documentation for it tells you various ways you can turn it off.
In regards to your comment: You can also try creating a php.ini file in your home directory with the following:
magic_quotes_gpc = off
magic_quotes_runtime = off
magic_quotes_sybase = off
If that doesn't work, then contact your host to address the issue.
I have a CentOS 5 VPS and I have just installed my website there. But I have problems that when I'm inserting special characters into the password field like: ' (apostophe) or something like that, I always get the error, that this password is incorrect :/ I guess this is because of the Linux System. Am I right? Or maybe because of te sanitizing I'm doing?
I'd be gald if anyone could help me.
EDIT:
function array_sanitize(&$item) {
$item = htmlentities(strip_tags(mysql_real_escape_string($item)));
}
If your magic quote is enabled, then you should turn it off:
Edit these in your php.ini:
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
Or you can put this in .htaccess in document root:
php_flag magic_quotes_gpc Off
If you want to know about magic quote:
http://php.net/manual/en/security.magicquotes.php
hmm this sounds like a input escaping issue to me, or some setting in the website.
try to trace the path of the inputs to the actual query that executes and checks for a valid username/password. This is all i can write without actual code.
P.S i can only post answers that is why i am posting it like this.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Why are escape characters being added to the value of the hidden input
So, I have a file called Save.php.
It takes two things: a file, and the new contents.
You use it by sending a request like '/Resources/Save.php?file=/Resources/Data.json&contents={"Hey":"There"}'.
..but of course, encoding the url. :) I left it all unencoded for simplicity and readability.
The file works, but instead of the contents being..
{"Hey":"There"}
..I find..
{\"Hey\":\"There\"}
..which of course throws an error when trying to use JSON.parse when getting the JSON file later through XHR.
To save the contents, I just use..
file_put_contents($url, $contents);
What can I do to get rid of the backslashes?
Turn magic_quotes off in PHP.ini.
Looks like you have magic_quotes turned on.
If that is the case, either turn it off - Or use a runtime disabling function
Try this:
file_put_contents($url, stripslashes($contents));
you probably have magic quotes enabled, only two things you can do. disable magic quotes in your php.ini or call stripslashes() on $_GET and $_POST globals.
FYI, use $_GET['contents'] as opposed to $contents; newer versions of php will not create the $contents var.
You should disable magic_quotes in your php.ini configuration file. However if this is not possible you can also use the stripslashes() function to get rid of the automatic escaping.
If you can not get magic quotes switched off for your server, then you need to check if it is switched on using get_magic_quotes_gpc() and if it is true, stripslashes().
I send this string in a GET request
{"foo":[{"bo1":"*","bob":"*"}]}
but get it in PHP as
{\"foo\":[{\"bo1\":\"*\",\"bob\":"\*\"}]}
How do I get it as {"foo":[{"bo1":"*","bob":"*"}]} sending it as part of a query string (or how do I send it via GET method to get it properly)? (Note: I cannot clean it as I have no control over server side.)
Disable magic_quotes: it's deprecated. If you can't, you can always use stripslashes on the input:
$goodStr = stripslashes($_GET['badStr']);
Your php config have enabled magic_quotes_gpc, which causes automatic escaping of quotes and double quotes in all _GET, _POST, and _COOKIE superglobals.
If you do not need it, turn it off. If you do, then you should probably rewrite the code which relies on this behaviour, as it is depreciated, and will be removed in future verions of php.
You should turn it of in php.ini if possible.
Anyway, if you, for some reasons, cannot turn off this just use stripslashes($your_json);
If the server runs on Apache, create a file called .htaccess in the site root (the leading period is part of the filename). Put the following code in the file:
php_flag magic_quotes_gpc Off
Otherwise, you'll need to use stripslashes() every time.
Today I run into some oddity with PHP, which I fail find a proper explanation for in the documentation. Consider the following code:
<?php
echo $_GET['t']. PHP_EOL;
?>
The code is simple - it takes a single t parameter on the url and outputs it back. So if you call it with test.php?t=%5Ca (%5c is a '\'), I expected to see:
\a
However, this is what I got:
$ curl http://localhost/~boaz/test.php?t=%5Ca
\\a
Notice the double slash. Can anyone explains what's going on and give recipe for retrieving the strings as it was supplied on the URL?
Thanks,
Boaz
PS. I'm using PHP 5.2.11
This happens, because you have the "magic quotes" switch in php.ini switched on. From the manual:
When on, all ' (single-quote), "
(double quote), \ (backslash) and NULL
characters are escaped with a
backslash automatically. This is
identical to what addslashes() does.
Read more about it here: http://php.net/manual/en/security.magicquotes.php
To make your script aware of any value of the "magic_quotes_gpc" setting in php.ini, you can write your script like this:
$d = $_GET["d"];
if (get_magic_quotes_gpc()) $d = stripslashes($d);
echo $d; //but now you are kind of vulnerable to SQL injections
//if you don't properly escape this value in SQL queries.
You can easily fix this using the strip_slashes() function. You should avoid magic quotes; they've been deprecated for security reasons.
open .htaccess file and put something like this
php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off