All geek questions in one place

PHP Escaping String Query Variables

I created a form in my web application that has only one text field, and that field is sent to the PHP page using GET, but I am observing strange behavior. that is, when I test it on my local server, the text is received as it was written in the text box, but when I upload it to my online server, the resulting string is automatically escaped, all isolated quotes and double quotes are escaped. e.g. If I write It not true... then on the php side I will get

 $comment = $_REQUEST["comm"]; print $comment; //will print It\ not true... on my online server //will print It not true... on my local server

I still can not understand why this is so? Is there any PHP parameter for automatically switching Query Strings variables?

+4
source share
3 answers

You have "magic quotes." This is a terrible mistake, which, fortunately, is removed in the next version of PHP. The PHP manual has a manual to disable them.

In short, you need to set the following configuration items to Off in the php.ini :

  • magic_quotes_gpc
  • magic_quotes_runtime
  • magic_quotes_sybase

In particular, your problem is related to magic_quotes_gpc - part of "gpc" is the abbreviation for " GET , POST and COOKIE" - but it is good practice to have them all disabled.

+9
source

The code will tell you everything you need.

 function mysql_prep($value) { $magic_quotes_active = get_magic_quotes_gpc(); $new_enough_php = function_exists("mysql_real_escape_string"); // ie PHP >= v4.3.0 if ($new_enough_php) { // PHP v4.3.0 or higher // undo any magic quote effects so mysql_real_escape_string can do the work if ($magic_quotes_active) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); } else { // before PHP v4.3.0 // if magic quotes aren't already on then add slashes manually if (!$magic_quotes_active) { $value = addslashes($value); } // if magic quotes are active, then the slashes already exist } return $value; }

create transition functions and values ​​above this function

and then call values ​​like

 $yourVar = mysql_prep($_POST['yourControlName']);

I hope you can get an explanation through the comments ...

+2
source

I think this is a parameter in the php.ini file. You can call the PHP function to disable it, but by then it is too late.

0
source

Source: https://habr.com/ru/post/1347038/

More articles:


All Articles