Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP Escaping query string variables

I have created a form in my web application which has only a single text field and that field is posted to a PHP page using GET, but I am observing strange behavior. i.e. when I test it on my local server, the text is received as it was written in the text field, but when I upload it to my online server, the received string is escaped automatically means, all single quotes and double quotes are escaped. e.g. If I write It's not true... then on php side I will get

$comment = $_REQUEST["comm"];
print $comment;
//will print It\'s not true... on my online server
//will print It's not true... on my local server

I am yet unable to under stand why is it so? Is there any PHP setting for escaping Query Strings variables automatically?

like image 361
Muhammad Ummar Avatar asked Dec 22 '22 15:12

Muhammad Ummar


2 Answers

You have "magic quotes" enabled. They're a terrible misfeature which are luckily being removed in the next version of PHP. The PHP manual has a guide to disabling them.

In short, you need to set the following configuration items to Off in your php.ini file:

  • magic_quotes_gpc
  • magic_quotes_runtime
  • magic_quotes_sybase

Specifically, your problem appears to be with magic_quotes_gpc - the "gpc" portion being short for "GET, POST, and COOKIE" - but it's good practice to keep all of them disabled.

like image 52
AgentConundrum Avatar answered Dec 31 '22 12:12

AgentConundrum


Code will tell you every thing what you need..

function mysql_prep($value) {
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysql_real_escape_string"); // i.e. PHP >= v4.3.0
if ($new_enough_php) { // PHP v4.3.0 or higher
    // undo any magic quote effects so mysql_real_escape_string can do the work
    if ($magic_quotes_active) {
        $value = stripslashes($value);
    }
    $value = mysql_real_escape_string($value);
} else { // before PHP v4.3.0
    // if magic quotes aren't already on then add slashes manually
    if (!$magic_quotes_active) {
        $value = addslashes($value);
    }
    // if magic quotes are active, then the slashes already exist
}
return $value;
}

create above function and pass-on values to this function

and then call the values like

$yourVar = mysql_prep($_POST['yourControlName']);

I hope you may get every thing explained via comments...

like image 26
Shabir Gilkar Avatar answered Dec 31 '22 12:12

Shabir Gilkar