tags:

views:

99

answers:

3
+1  Q: 

PHP - big trouble escaping "\"

Hi. I try to explain my problem with a non-perfect english :)

When i try to send some string (client side) to the server, i see that the HTML Form add the "\" char as escape before some chars (for example with ", ' and \ itself).

But this is a problem : if save it on mysql, before i filter the string using mysql_real_escape_string(), and it considers the escape char added by html as a "char added by the user". But that's not true.

The same when, after I checked the value on server-side and ignore it for some reason, i place them on the fields. I need to escape the chars again (i do it with addslashes() php function), because if i have $var equal to hello "world" how are you, on the input field (as i wrote above) it fails.

So, how can I fix this problem? I think there's a solution :)

Part 2

Now, with magic_quotes i've resolved this problem. Now, if the parameter fails when i check it, i'll save it on a var and put it into the right field. The problem is that.

<script type="text/javascript">
    $(document).ready(function() {
        $("#input1").val("<?= addslashes($name) ?>");
    });
</script>       

<input class="inputReg" maxlength="20" name="name" id="input1" />

this code work!!! I put the value (trought JQuery). If i write this :

<input class="inputReg" maxlength="20" name="name" value="<?=addslashes($name)?>" id="input1" />

it doesnt work. In fact, if i write (for example) the string "hello 'my' name is marco" it add each time 1-2-4-8 the char \ before. Why this? It doesnt works. Any idea? Cheers

+5  A: 

Sounds like magic quotes. Make sure this is disabled in your php.ini file:

magic_quotes_gpc = Off
JW  2010-10-13 16:28:53
Also, if for any reason you cannot turn off magic_quotes due to your hosting config, run all your user input through the strip_slashes function.
Goblyn27  2010-10-13 16:41:18
i hope it will turn off...otherwise i need to change somethings like 50-60 php files... :)
markzzz  2010-10-13 17:00:16
@markzzz don't you have a single config file which being included into these 50-60?
Col. Shrapnel  2010-10-13 21:41:54
You can also disable it in htaccess: php_flag magic_quotes_gpc Off
JW  2010-10-13 23:12:46
Col. Shrapnel : i don't understand what you mean. anyway, i contacted my hosting, and yes, i can change that parameters :) nice one
markzzz  2010-10-14 09:55:14
ok. edited. It works perfectly :) Now i have a trouble. I've edited the topic. Looks at the end, Part 2 :)
markzzz  2010-10-14 10:50:13
@markzzz do you have a configuration file for your application? A file which being included into other PHP scripts?
Col. Shrapnel  2010-10-14 10:52:09
Uhm...not really. For each page i check my variables, i escape them and i manage with DB. Or maybe i misunderstood what you are meaning as configuration file :)
markzzz  2010-10-14 10:57:02
@markzzz where do you keep database login and password? in a single file or it's written in every file?
Col. Shrapnel  2010-10-14 11:00:34
when i do the login i check the value. If they are correct, i save a parameter in the session. After, i have a sort of "filter" that check (for the protected page) if the session-parameter is setted.
markzzz  2010-10-14 11:08:19
@markzzz a **database** login and password. but okay. it seems all in vain. it seems it's just impossible to explain you anything. nevermind
Col. Shrapnel  2010-10-14 11:10:33
i don't keep login and password on php. They are saved on the database. I just keep a session parameter where i save the nickname of that user. Thanks for your time. I ask sorry.
markzzz  2010-10-14 11:19:13
A:  
mysql_real_escape_string(stripslashes($string))

will (temporarily) fix your problem. Turning off magic_quotes though would be the best option.

Thomas Clayson  2010-10-13 16:50:29
all temporary solutions tends to be a forever ones.
Col. Shrapnel  2010-10-13 16:57:21
what? :p was just trying to help.
Thomas Clayson  2010-10-13 17:00:21
A: 

You can use this code snippet if you aint allowed to edit php.ini:

# Disable magic quotes if enabled in the server settings
if (get_magic_quotes_gpc()) {
   function stripslashes_deep($value) {
      $value = is_array($value) ?
         array_map('stripslashes_deep', $value) :
         stripslashes($value);

      return $value;
   }

   $_POST = array_map('stripslashes_deep', $_POST);
   $_GET = array_map('stripslashes_deep', $_GET);
   $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
   $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
Marwelln  2010-10-14 10:53:04
thanks, but i can edit the php.ini file on my hosting :)
markzzz  2010-10-14 10:55:29
Not only for you markzz but for those who Google this question as well.
Marwelln  2010-10-14 12:26:06

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases