I have $_POST variables incoming in from tags that have slashes on quotes. I know that magic quotes are off, and use the if (get_magic_quotes_gpc()) statement to stripslashes in case they are. However, slashes are still getting added. Why is that?
Form
<form method="POST" action="">
<input type="text" name="spe_set" />
<input type="submit" value="Submit" />
</form>
PHP
print_r($_POST['spe_set']); // if I wrote "Test's", this prints as "Test\'s"
So, I did,
if ( get_magic_quotes_gpc() )
$tempvar = stripslashes($_POST['spe_set']);
else
$tempvar = $_POST['spe_set'];
print_r($tempvar); // Still says "Test\'s"
Go to the MAMP folder >> bin >> php >> php5. 3.26 >> conf >> edit php. ini >> add "magic_quotes_gpc = Off" a few lines above "magic_quotes_sybase = Off". Restart MAMP's servers.
Magic quotes was a feature of the PHP scripting language, wherein strings are automatically escaped—special characters are prefixed with a backslash—before being passed on. It was introduced to help newcomers write functioning SQL commands without requiring manual escaping.
I can't find any reference online to get_magic_quotes_gpc()
returning a faulty result anywhere online, so I'll instead give you a checklist to try to narrow down the issue (this should probably be a comment, but it's way too long for that):
The first thing I would do is try to edit the php.ini
file to ensure magic_quotes_gpc really is set to be off. The best place to try this is to create/edit a php.ini
file in the same directory as the script that's having issues, as that's the last place you can override an INI setting before getting to the script (and global_quotes_gpc can't be overridden lower than that since by the time the script runs the damage has already been done).
In your php.ini
file, add the following lines:
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
Only the first of those will affect POST variables ("gpc" stands for "Get, Post, and Cookies"), but it's good to set them all since they all suck.
After setting these lines, you can be sure that magic quotes really is off. If this fixes the issue, then you need to walk up the directory structure looking for where it got turned on in the first place. This could be in a higher-directory php.ini
file, an .htaccess
file, or even your http.conf
file. You may want to get your host involved if you're not sure what you're doing here.
If the problem persists, then you should check for any calls to the addslashes()
function in your script. This is easy if you're on linux as you can run the command grep -ir "addslashes" *
from the root directory for your project. If you're running on Windows, you should look into Cygwin, unxutils, or another unix-layer. I absolutely love unxutils, and it's one of the first things I install on a Windows setup or at a new job.
While I don't see why any framework would have something like this built in, I suppose it's possible that some idiot might try it. For that reason, you should probably make sure you grep
over your framework files as well. Be sure to check any php.ini
files provided with the framework, although that should be covered in what I already described above.
Finally, you should make sure to set error_reporting
to E_ALL | E_STRICT
. This can be done from the php.ini
file, or using the error_reporting()
function. Make sure this is set before any other PHP runs. You should always develop with the highest error reporting setting so that you can see every error, no matter how small, before it gets in front of a user. To make sure you can see these errors, also make sure that display errors is enabled as well.
Although the code sample you've pasted into your question is valid, I mentioned error_reporting just in case it's not a direct copy/paste from your code, or on the off chance there's some other code that's causing an error. By setting the error reporting, you can see any errors that could be blocking the correct functioning of get_magic_quotes_gpc()
or stripslashes()
. If you can fix those errors, the rest of your code will work as intended.
Good luck.
sometimes you are on a stupid old system like an old xtcommerce. there is a file /admin/includes/functions/compatibility.php with a function that does "the magic" by self:
if (!get_magic_quotes_gpc()) {
do_magic_quotes_gpc($_GET);
do_magic_quotes_gpc($_POST);
do_magic_quotes_gpc($_COOKIE);
}
..you should stop this by editing the condition or remove it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With