Menu
When my PHP script receives data from an AJAX POST request, the $_POST variables are escaped. The really strange thing is that this only happens on my production server (running PHP 5.2.12 on Linux) and not on my local server (running PHP 5.3.1 on Windows).
Here is the AJAX code:
var pageRequest = false; if(window.XMLHttpRequest) pageRequest = new XMLHttpRequest(); else if(window.ActiveXObject) pageRequest = new ActiveXObject("Microsoft.XMLHTTP"); pageRequest.onreadystatechange = function() { } var q_str = 'data=' + " ' "; pageRequest.open('POST','unnamed_page.php',true); pageRequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); pageRequest.setRequestHeader("Content-length", q_str.length); pageRequest.setRequestHeader("Connection", "close"); pageRequest.send(q_str); Is there any reason this is happening? And how should I fix this so that it works on both servers?
Edit: I have the following settings for magic_quotes:
Local Master magic_quotes_gpc On On magic_quotes_runtime Off Off magic_quotes_sybase Off Off 
810
Escaping is a technique that preserves data as it enters another context. PHP is frequently used as a bridge between disparate data sources, and when you send data to a remote source, it's your responsibility to prepare it properly so that it's not misinterpreted.
Page 3. Escaping Variable. Technically escaping means “cannot be stored in a register”. In C Large values (arrays, structs). Variables whose address is taken.
In practice they don't have to be escaped, except for one case: if the backslash is the last character. 'foo\\' works, but 'foo\' doesn't. I think the non-escaped backslashes should be considered as a syntactic sugar. For consistency you may want to always escape them, but it's up to you.
In PHP, an escape sequence starts with a backslash \ . Escape sequences apply to double-quoted strings. A single-quoted string only uses the escape sequences for a single quote or a backslash.
You probably have magic quotes enabled on the Linux server: magic_quotes
When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.
They're a good thing to disable, as they are going to be removed from PHP 6 onwards anyway. You should also be able to disable them inside your script: set-magic-quotes-runtime You can't deactivate the part of magic_quotes responsible for escaping POST data during runtime. If you can, disable it in php.ini. If you can't do that, do a check whether the magic_quotes are enabled, and do a stripslashes() on any content you fetch from POST:
if (get_magic_quotes_gpc()) $my_post_var = stripslashes($_POST["my_post_var"]); I don't think this applies in your case, but I was just having a similar problem. I was loading a WordPress install along with a site, so I could show recent posts on all pages. It turns out WordPress escapes all $_POST vars, no matter what magic_quotes are set to.
I mention it because it was frustrating to figure out, and googling for an answer brought me here.
Here's how I fixed it in my case:
$temp_POST = $_POST; require '../www/wp_dir/wp-load.php'; // Loading WordPress $_POST = $temp_POST; If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
