ansaurus

Question

Answer 1

+7 A:

Looks like you have magic quotes turned on. Use below condition using stripslashes with whatever text you want to process:

if(get_magic_quotes_gpc())
{
   $your_text = stripslashes($your_text);
}

Now you can process $your_text variable normally.

Update:

Magic quotes turned on on a server is not a good idea at all, you should disable it, there is no harm, in fact this is the ideal setting in security-aware servers.

Sarfraz 2010-06-09 13:50:49

check my update

Camran 2010-06-09 13:55:22

@Camran: See my updated answer please.

Sarfraz 2010-06-09 14:02:31

Answer 2

+2 A:

You likely have magic quotes turned on. You need to stripslashes() it as well.

Nicest way would be to wrap this in a function:

function get_string($array, $index, $default = null) {
    if (isset($array[$index]) && strlen($value = trim($array[$index])) > 0) {
        return get_magic_quotes_gpc() ? stripslashes($value) : $value;
    } else {
        return $default;
    }
}

Which you can use as

$annonsera_headline = get_string($_POST, 'annonsera_headline');

By the way:

And if I don't even use htmlentities then everything after the quotes dissappears.

It's actually still there in the HTML source, you only don't see it. Do a View Source ;)

Update as per your update: the magic quotes is there to prevent SQL injection attacks in code of beginners. You see this often in 3rd party hosts. If you really know what you're doing in the code, then you can safely turn it off. But if you want to make your code distributable, then you'll really take this into account when gathering request parameters. For this the above function example is perfectly suitable (you only need to write simliar get_boolean(), get_number(), get_array() functions yourself).

BalusC 2010-06-09 13:50:50

check my update please

Camran 2010-06-09 13:56:41

Answer 3

+1 A:

This is actually a function of PHP trying to be security conscious, luckily there is an easy fix for it that looks something like this:

if (get_magic_quotes_gpc())
    $var = stripslashes($var);

There isn't a huge problem in having it enabled, it comes down to personal preference. If you code will be moving servers much and you can't disable it through your php.ini file, it's best to use something as described above.

If you have access to your php.ini file and you want to change it, because you don't want to have to validate it each time you can add the following line to php.ini

magic_quotes_gpc = Off

Or the following to your .htaccess:

php_flag magic_quotes_gpc Off

Hope this helps clear things up.

Sam152 2010-06-09 13:51:01

check my update pls

Camran 2010-06-09 13:56:21

Okay, I have updated my answer accordingly.

Sam152 2010-06-09 14:01:59

Answer 4

+1 A:

Looks like your server is setup to use Magic Quotes.

You can fix it by stripping them with stripslashes, or better, by turning off Magic Quotes.

Dominic Rodger 2010-06-09 13:52:21

check my update pls

Camran 2010-06-09 13:55:49

Per my second sentence- turn off Magic Quotes! They're evil.

Dominic Rodger 2010-06-09 14:14:31

not that evil. just litter your data about

Col. Shrapnel 2010-06-09 15:24:31

Answer 5

A:

you shouldn't use htmlentities() when writing something to an input field value.
is magic_quotes enabled on your server? try out stripslashes before the output.

oezi 2010-06-09 13:53:05

what should I use instead of htmlentities then?

Camran 2010-06-09 13:53:25

you should always use htmlentities if the content might come from userinput (as `$_POST['annonsera_headline']` obviously does), even if it passed through a database. If you don't then you get a cross-site scripting (XSS) vulnerability as people might find a way to inject javascript or their own HTML into the page, possibly even redirecting the form input (which is especially evil for logins).

dbemerlin 2010-06-09 13:57:07

@oezi what's wrong with htmlentities()?

Col. Shrapnel 2010-06-09 14:06:43

oezi 2010-06-09 14:09:19

@Camran for text field data I use `function dequote($instr) { return str_replace("'", ''', str_replace('"', '"', $instr)); }`

Rob 2010-06-09 14:18:08

nope, I will not.

Col. Shrapnel 2010-06-09 14:18:59

`$var='Bill "buffalo" Tuckson'; <input type="<?php echo $var?>">`. What will you see in the field?

Col. Shrapnel 2010-06-09 14:22:27

@Rob don't be silly, use `htmlspecialchars()`

Col. Shrapnel 2010-06-09 14:23:07

Answer 6

+1 A:

Yes, you should disable magic quotes if you can. The feature is deprecated, and will likely go away completely in the future. If you've relied on magic quotes for escaping data (for instance when inserting it into a database) you will may be opening yourself up to sql injection vulnerabilities if you disable it. You should check all your queries and make sure you're using mysql_real_escape_string().

I include the following file to undo magic quotes in apps that are deployed to servers not under my control.

<?php
set_magic_quotes_runtime(0);

function _remove_magic_quotes(&$input) {
    if(is_array($input)) {
        foreach(array_keys($input) as $key) _remove_magic_quotes($input[$key]);
    }
    else $input = stripslashes($input);
}
if(get_magic_quotes_gpc()) {
    _remove_magic_quotes($_REQUEST);
    _remove_magic_quotes($_GET);
    _remove_magic_quotes($_POST);
    _remove_magic_quotes($_COOKIE);
}

return true;
?>

Rob 2010-06-09 14:15:36

ansaurus

tags:

views:

answers:

"slash before every quote" problem

related questions