Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP Escaping query string variables

Tags:

php

query-string

escaping

request

I have created a form in my web application which has only a single text field and that field is posted to a PHP page using GET, but I am observing strange behavior. i.e. when I test it on my local server, the text is received as it was written in the text field, but when I upload it to my online server, the received string is escaped automatically means, all single quotes and double quotes are escaped. e.g. If I write It's not true... then on php side I will get

$comment = $_REQUEST["comm"];
print $comment;
//will print It\'s not true... on my online server
//will print It's not true... on my local server

I am yet unable to under stand why is it so? Is there any PHP setting for escaping Query Strings variables automatically?

like image 361
Muhammad Ummar Avatar asked Dec 22 '22 15:12

Muhammad Ummar

2 Answers

You have "magic quotes" enabled. They're a terrible misfeature which are luckily being removed in the next version of PHP. The PHP manual has a guide to disabling them.

In short, you need to set the following configuration items to Off in your php.ini file:

  • magic_quotes_gpc
  • magic_quotes_runtime
  • magic_quotes_sybase

Specifically, your problem appears to be with magic_quotes_gpc - the "gpc" portion being short for "GET, POST, and COOKIE" - but it's good practice to keep all of them disabled.

like image 52
AgentConundrum Avatar answered Dec 31 '22 12:12

AgentConundrum

Code will tell you every thing what you need..

function mysql_prep($value) {
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysql_real_escape_string"); // i.e. PHP >= v4.3.0
if ($new_enough_php) { // PHP v4.3.0 or higher
    // undo any magic quote effects so mysql_real_escape_string can do the work
    if ($magic_quotes_active) {
        $value = stripslashes($value);
    }
    $value = mysql_real_escape_string($value);
} else { // before PHP v4.3.0
    // if magic quotes aren't already on then add slashes manually
    if (!$magic_quotes_active) {
        $value = addslashes($value);
    }
    // if magic quotes are active, then the slashes already exist
}
return $value;
}

create above function and pass-on values to this function

and then call the values like

$yourVar = mysql_prep($_POST['yourControlName']);

I hope you may get every thing explained via comments...

like image 26
Shabir Gilkar Avatar answered Dec 31 '22 12:12

Shabir Gilkar
Sign in to Comment

Related questions

Prevent remote script using PHP CURL from logging into website
How to perform text concatenation in object variables in PHP?
Zend Translate Zend Form!
Ordered array to associative array, odd values as keys
Convert mixed fraction string to float in PHP
Symfony/Doctrine: fetching data as object
Making a private call in a extended class?
PHP Includes Confusion
Call to undefined function imagerotate()
find max() of specific multidimensional array value in php
How do I encode an array to JSON without json_encode()?
CodeIgniter 2: not loading MY_Loader class
zend form validation
Varnish Cache not Caching PHP with Sessions Unless backend TTL altered
reqular exp to get last number from string
How do you register Zend Framework plugins in application.ini?
Function to check if string length in greater than or less than required amount
Access to the $data variable from buttons in cgridview
PHP Check If require_once() Content Is Empty
Implode all the properties of a given name in an array of object - PHP [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!