Menu
If I have a form with a value of just "" and I submit it and echo it with PHP, I get \"\"
How can I get around this?
536
This is because magic_quotes_gpc is on. This is a bad 'feature', designed to automatically escape incoming data for those developers who can't learn to escape SQL input.
You should disable this as soon as possible.
ini_set('magic_quotes_gpc', 'off');
You should switch off magic_quotes_gpc, which is a broken feature (see Delan's answer, I completely agree).
But wait! You must sanitize the user input from $_REQUEST, $_POST and $_GET and $_COOKIE, if you want to use it for database or display at your page! Otherwise your code would be prone to various types of attacks!
There is nothing like "universal sanitization". Let's call it just quoting, because that's what its all about.
When quoting, you always quote text for some particular output, like:
like expression for mysql queryFor each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like magic_quotes_gpc are broken (always assure it is switched off!!!).
So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me)
mysql_real_escape_string($str)mysql_real_escape_string(addcslashes($str, "%_"))htmlspecialchars($str)json_encode() - only for utf8! I use my function for iso-8859-2mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}')) - you cannot use preg_quote in this case because backslash would be escaped two times!preg_quote()
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
