ansaurus

Question

PHP keeps escaping my form's input (adding \ behind my ')

Answer 1

+5 A:

This is most likely because you have magic quotes turned on, try this:

if (get_magic_quotes_gpc())
{
  $searchname = stripslashes($_POST["name"]);
  echo "$searchname";
}
else
{
  $searchname = $_POST["name"];
  echo "$searchname";
}

In fact, you could create a function instead to do it automatically for you:

function fixIt($str)
{
    if (is_array($str))
    {
        foreach ($str as &$value)
        {
            $value = fixIt($value);
        }

        return $str;
    }
    else
    {
        return stripslashes($str);
    }    
}

And then you can simply do:

$searchname = fixIt($_POST["name"]);
echo $searchname;

Note: You can also disable the ugly magic quotes from php.ini as they are problematic and rightly deprecated and out of the future versions of PHP.

Sarfraz 2010-05-23 12:55:19

You're my hero. Thanks!

Haskella 2010-05-23 12:58:49

@Haskella: You are welcome :)

Sarfraz 2010-05-23 13:00:06

Beware, you will not be able to ever use an array in a form with this method.

ircmaxell 2010-05-23 13:04:30

@ircmaxell: That is rightly pointed, did not pay attention to array. Thanks

Sarfraz 2010-05-23 13:13:15

+1 for cleaner code :)

Web Logic 2010-05-23 18:56:38

Cool, do you know if there is something like the stripslashes function but makes my input case insensitive? I'm sure it's possible.

Haskella 2010-05-24 13:38:35

@Haskella: Could you be more specific, what do you want?

Sarfraz 2010-05-24 13:40:28

Hrm, do you remember my sports search bar? The code only made things accept exact spelling (i.e. case sensitive), is there a php method employed to make it insensitive? Hope I'm making sense :S

Haskella 2010-05-24 13:48:47

@Haskella: There are functions for case insenstive such as `str_ireplace`, `eregi`, and more. It just depends what you want to do and which function you have to use.

Sarfraz 2010-05-24 14:03:42

I did a little googling and eregi seems to be the one, but unfortunately it has been deprecated...

Haskella 2010-05-24 14:11:48

@Haskella: if you want to **replace**, you can use `str_ireplace` or `pre_replace` for regular expression replace with `/i` modifier for case insensitivity.

Sarfraz 2010-05-24 14:15:17

Sarfraz I've edited my first post, check it out :D

Haskella 2010-05-24 14:28:50

Answer 2

+2 A:

This is controlled by the magic_quotes_gpc configuration variable. It really is annoying (and deprecated!).

You should turn it off in php.ini, or ask your web host if they can do something about it.

If they can't, you can use addslashes and stripslashes to manually escape/un-escape. Beware, though - you should use something more secure than addslashes for submitting to a database. mysql_real_escape_string is a better option, or the function specific to your database:

mysqli_escape_string
sqlite_escape_string
a bigger list

Lucas Jones 2010-05-23 12:56:12

Yeah, my web host is a pain, I guess stripslashes will work fine :D

Haskella 2010-05-23 13:00:24

I know what you mean. :) OK. A lot of hosts keep it on for compatibility, annoyingly.

Lucas Jones 2010-05-23 13:08:06

Answer 3

+4 A:

There are a few ways.

Turn off magic_quotes_gpc in php.ini
```
magic_quotes_gpc = 0
```

In the beginning of the request, run stripslashes

if (get_magic_quotes_gpc() && !function_exists('FixMagicQuotesGpc')) {
    function FixMagicQuotesGpc($data) {
        if (is_array($data)) {
            foreach ($data as &$value) {
                $value = FixMagicQuotesGpc($value);
            }
            return $data;
        } else {
            return stripslashes($data);
        }
    }
    $_GET = FixMagicQuotesGpc($_GET);
    $_POST = FixMagicQuotesGpc($_POST);
    $_REQUEST = FixMagicQuotesGpc($_REQUEST);
}

EDIT: Added the !function_exists part. This way, you don't need to worry if you ran it before, it'll just skip it if it's already been run (by another file, etc)

ircmaxell 2010-05-23 13:01:19

That's a neat way of doing it, actually! :)

Lucas Jones 2010-05-23 13:08:32

I haven't learnt enough php or programming, rather to understand functions fully =/ but I appreciate your effort in coming back to edit it, thanks (too bad I can't give out two answers) :DI hope someone will find this code helpful!

Haskella 2010-05-24 13:41:32

Answer 4

A:

I include the following script within my config file to fix magic quotes if necessary. That way I don't have to worry about the magic quotes settings of the host.

<?php

set_magic_quotes_runtime(0);

function _remove_magic_quotes(&$input) {
    if(is_array($input)) {
        foreach(array_keys($input) as $key) _remove_magic_quotes($input[$key]);
    }
    else $input = stripslashes($input);
}
if(get_magic_quotes_gpc()) {
    _remove_magic_quotes($_REQUEST);
    _remove_magic_quotes($_GET);
    _remove_magic_quotes($_POST);
    _remove_magic_quotes($_COOKIE);
}

return true;

?>

Rob 2010-05-24 14:45:01

Answer 5

A:

Magic Quotes... I'll be so happy when PHP 6 finally arrives and removes this monster of incompatibility.

The best solution is to turn it off in php.ini by setting

magic_quotes_gpc = Off

If you don't have access to php.ini but are using Apache, you can also disable it in an .htaccess file:

php_flag magic_quotes_gpc Off

The last ditch scenario is to disable it in your application. the PHP Manual's Disabling Magic Quotes page suggests using this:

<?php
if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}
?>

R. Bemrose 2010-05-24 14:53:44

ansaurus

tags:

views:

answers:

PHP keeps escaping my form's input (adding \ behind my ')

related questions