views:

370

answers:

1

Ok, so I'm having a problem with a simple textarea. I'm using a kind of hidden page to easily encode some data using JSON. However, all of my text input is automatically being escaped somewhere and I don't know where. All of my $_POST variables are automatically run through the htmlentities() function when the script starts up, as seen below:

$ani->i->post = $this->clean($_POST, true);
function clean($values, $unset = false) {
    if (is_array($values)) {
        foreach ($values as $key => $value) {
            $newkey = strtolower($key);
            $return[$newkey] = $this->clean($value);
            unset($values[$key]);
        }
        return $return;
    }
    return htmlentities($values);
}

I keep getting \' for all of my single quotes when I put the value back into the textarea.

I can't find anywhere where it would be adding slashes and I don't remember it being a feature that they were automatically added when you submit from a textarea, and if that was so, why would they not be returning back to a single quote when put back into the textarea? Do I really need to run variables through stripslashes() to get them back to their original form?

Edit: My 'test.php' file is as follows:

<h1>To Be Encoded:</h1>
<form action="/test" method="post">
<textarea name="encode" rows="20" cols="50"><?= html_entity_decode($ani->i->post['encode']) ?></textarea>
<input type="submit" name="submit" value="Encode It!" />
</form>
<h1>Encoded By JSON:</h1>
<textarea name="encoded" rows="20" cols="50"><?= json_encode(html_entity_decode($ani->i->post['encode'])) ?></textarea>
<?php

die();

?>

P.S. The die() is just there for compatibility with my framework.

+2  A: 

I suppose Magic Quotes are turned on.
Turn them off ASAP! :)

deceze
I have them off...root@server [/etc]# grep "magic_quotes" php.ini; - magic_quotes_gpc = Off [Performance]magic_quotes_gpc = Offmagic_quotes_runtime = Offmagic_quotes_sybase = Off
animuson
Indeed. Go ahead and ensure `register_globals` is off as well.
webbiedave
Yes those are off as well.
animuson
@animuson Better try `get_magic_quotes_gpc()` at run time.
deceze
Sometimes systems will have more than one php.ini (for instance, one for CLI and one for apache). The best way to check if it's set is to create a script that calls `phpinfo();` then search the output in your browser for `magic_quotes_gpc` The outputted info will also show which php.ini is loaded by the web server (something similar to `Configuration File (php.ini) Path` and `Loaded Configuration File` and `Scan this dir for additional .ini files` You can also check via run-time with `get_magic_quotes_gpc()` and `get_magic_quotes_runtime()`
webbiedave
@webbiedave: Thanks! I found another ini file at `/usr/local/lib/php.ini` which seems to be the one that's actually being loaded and not `/etc/php.ini`, which had 'magic_quotes_gpc = On'. Everything works great now, wish I had known that was on...
animuson