Bug in Quoted String Handling?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
DanBlather
Forum Newbie
Posts: 7
Joined: Fri Sep 22, 2006 6:53 pm

Bug in Quoted String Handling?

Post by DanBlather »

My hosting compnay recently upgraded from 4.4.4 to 4.4.6 and my PHP script stopped working. I am using a GET method with the following URL:
http://www.xyz.com/aEventQueryString.ph ... 2007-03-15 21:10:03'

This used to work fine, and $DateTime was set to: {2007-03-15 21:10:03} (brackets added, not in actual string). After the upgrade $DateTime is set to: {\'2007-03-15 21:10:03\'}. It's as though the single quotes are being treated as embedded quotes and being escaped. Is this a bug or was the old behavior incorrect and now fixed?

A related question, if I just format my URL as {...DateTime=2007-03-15%2021:10:03} can I pass that off to MySQL without further ado? Thanks.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

They've turned magic_quotes_gpc on. Tell them to turn it off. I have no idea why I host would upgrade and turn a nasty "feature" like that on :)

If they won't turn it back off you'll need to use stripslashes() *everywhere* you receive data from the "outside" such as via a form or the URL.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

magic quotes has to be one of the worst PHP-related ideas ever concieved.
DanBlather
Forum Newbie
Posts: 7
Joined: Fri Sep 22, 2006 6:53 pm

Post by DanBlather »

Thanks, that makes sense. I'll see how much clout my $9.95 a month hosting account has :wink:
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

If your server won't budge about magic_quotes_gpc, you can array_map() each of $_GET, $_POST and $_COOKIE with the callback stripslashes() and the beginning of your script as a resort to calling stripslashes() for every GPC reference
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

phpBB used to array map, then changed it because it had some weird results in the resultant array map. Of course, theirs checks to see if magic quotes is off and adds slashes to the superglobal arrays. But the same logic can be applied to removing slashes.

EDIT | I modified theirs to use stripslashes() if get_magic_quotes_gpc() is on...

Code: Select all

<?php
// stipslashes on all vars if magic_quotes_gpc is on
if( get_magic_quotes_gpc() )
{
	if( is_array($_GET) )
	{
		while( list($k, $v) = each($_GET) )
		{
			if( is_array($_GET[$k]) )
			{
				while( list($k2, $v2) = each($_GET[$k]) )
				{
					$_GET[$k][$k2] = stripslashes($v2);
				}
				reset($_GET[$k]); // For some reason this had an error suppressor
			}
			else
			{
				$_GET[$k] = stripslashes($v);
			}
		}
		reset($_GET);  // For some reason this had an error suppressor
	}

	if( is_array($_POST) )
	{
		while( list($k, $v) = each($_POST) )
		{
			if( is_array($_POST[$k]) )
			{
				while( list($k2, $v2) = each($_POST[$k]) )
				{
					$_POST[$k][$k2] = stripslashes($v2);
				}
				reset($_POST[$k]); // For some reason this had an error suppressor
			}
			else
			{
				$_POST[$k] = stripslashes($v);
			}
		}
		reset($_POST); // For some reason this had an error suppressor
	}

	if( is_array($_COOKIE) )
	{
		while( list($k, $v) = each($_COOKIE) )
		{
			if( is_array($_COOKIE[$k]) )
			{
				while( list($k2, $v2) = each($_COOKIE[$k]) )
				{
					$_COOKIE[$k][$k2] = stripslashes($v2);
				}
				reset($_COOKIE[$k]); // For some reason this had an error suppressor
			}
			else
			{
				$_COOKIE[$k] = stripslashes($v);
			}
		}
		reset($_COOKIE); // For some reason this had an error suppressor
	}
}
?>
DanBlather
Forum Newbie
Posts: 7
Joined: Fri Sep 22, 2006 6:53 pm

Post by DanBlather »

My hosting service rurned "magic_quotes_gpc on" off on my config file. I still see odd behavior. The escape of the single quotes has gone away, but the leading and trailing single quote are still included in the string itself. For example:

echo "{" . $DateTime . "}"

gives

{'2007-03-15 21:10:03'}

Before the upgrade the single quotes were not in the string. In the URL DateTime is specified:

DateTime='2007-03-15 21:10:03'

and I expected the echo above to give

{2007-03-15 21:10:03}
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

The quotes should be in the string because, well, they are in the string, so why would they be removed? Don't send the single quotes if you dont want them ;)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If the data in the URL has single quotes, the data in the script will have single quotes.
DanBlather
Forum Newbie
Posts: 7
Joined: Fri Sep 22, 2006 6:53 pm

Post by DanBlather »

So I wonder what changed in the upgrade? Either the single quotes didn't used to be in the arguments passed to the PHP script or SQL ignored them.
Post Reply