Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP 5.3 automatically escapes $_GET/$_POST from form strings?

Tags:

forms

php

escaping

magic-quotes

My server admin recently upgraded to PHP 5.3 and I'm getting a weird "bug" (or feature, as the PHP folks have it). I had mysql_real_escape_string around most of my string form data for obvious safety reasons, but now it seems this escaping is already done by PHP.

<?php

echo $_GET["escaped"];

?>

<form method="get">
    <input type="text" name="escaped" />
</form>

This outputs, if I enter for instance escape 'this test', escape \'this test\'. Same goes if I use POST instead of GET.

Is it directly tied to the 5.3 upgrade or could my admin have triggered some automatic switch in the php.ini file?

Also, should I just leave it as is (in the event that it is indeed a good fail proof mechanism that correctly catches all get and post variables), or should I disable it (if that's even possible!) and go back to mysql_real_escape_string? My guts tell me approach 2 would be best, but approach 1 would be somewhat automagical. :)

EDIT: Actually, I need to disable it. Sometimes I gather the form data and resend it to the client form in case something was wrong (i.e. missing field), so I don't want him/her to have slashes appearing out of nowhere.

like image 359
Lazlo Avatar asked Jul 10 '11 18:07

Lazlo

2 Answers

This "feature" is known as magic_quotes_gpc and does not protect you from all SQL injection attacks (addslashes is called on every element of the input superglobals such as $_POST and $_GET. This ignores the actual input/database encoding). It is therefore deprecated and should not be used.

The official php manual includes a neat way to undo it in php code, but you should just turn it off.

like image 169
phihag Avatar answered Oct 21 '22 23:10

phihag

This is due to magic quotes, you should turn it off.

And here is how you turn it off: http://www.php.net/manual/en/security.magicquotes.disabling.php

You do it either via php.ini or by removing slashes from all variables in $_GET and $_POST, obviously the former is the recommended way to go.

As Will Martin suggests you can also change it via a .htaccess like this:

php_flag magic_quotes_gpc off

More info here: http://php.net/manual/en/configuration.changes.php

like image 22
Nicklas A. Avatar answered Oct 21 '22 22:10

Nicklas A.
Sign in to Comment

Related questions

Joomla : how to get the url of a specific Menu itemID?
Magento login and register form one page
Pull elements from next foreach item in PHP?
passing sql query results from controller into view with code igniter
php run javascript code
Installing PHP OAuth in MAMP environment
PHP - indent block of html
Extract .zip files using PHP [closed]
Search if a string exists in another string
adding rel="nofollow" while saving data
Checking if my page is embedded in an iframe
assign output of execution of PHP script to a variable?
Doing a PHP in_array() but with a needle of one another array()
Are numeric and associative arrays in PHP two different things?
Are PHP cookies and 'JS' cookies the same?
Alternating between even and odd in a while loop in PHP
Declaring Session Max Life Time in htaccess
PHP Private Message (PM) System
PHP - Is it good practice to cache MYSQL queries in a txt file?
What is the best way to fetch same data multiple times in a page?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!