Page 1 of 1
Bug in Quoted String Handling?
Posted: Thu Mar 22, 2007 3:28 pm
by DanBlather
My hosting compnay recently upgraded from 4.4.4 to 4.4.6 and my PHP script stopped working. I am using a GET method with the following URL:
http://www.xyz.com/aEventQueryString.ph ... 2007-03-15 21:10:03'
This used to work fine, and $DateTime was set to: {2007-03-15 21:10:03} (brackets added, not in actual string). After the upgrade $DateTime is set to: {\'2007-03-15 21:10:03\'}. It's as though the single quotes are being treated as embedded quotes and being escaped. Is this a bug or was the old behavior incorrect and now fixed?
A related question, if I just format my URL as {...DateTime=2007-03-15%2021:10:03} can I pass that off to MySQL without further ado? Thanks.
Posted: Thu Mar 22, 2007 3:30 pm
by Chris Corbyn
They've turned magic_quotes_gpc on. Tell them to turn it off. I have no idea why I host would upgrade and turn a nasty "feature" like that on
If they won't turn it back off you'll need to use stripslashes() *everywhere* you receive data from the "outside" such as via a form or the URL.
Posted: Thu Mar 22, 2007 3:31 pm
by Luke
magic quotes has to be one of the worst PHP-related ideas ever concieved.
Posted: Thu Mar 22, 2007 3:36 pm
by DanBlather
Thanks, that makes sense. I'll see how much clout my $9.95 a month hosting account has

Posted: Fri Mar 23, 2007 8:04 am
by aaronhall
If your server won't budge about magic_quotes_gpc, you can
array_map() each of $_GET, $_POST and $_COOKIE with the callback
stripslashes() and the beginning of your script as a resort to calling
stripslashes() for every GPC reference
Posted: Fri Mar 23, 2007 11:48 am
by RobertGonzalez
phpBB used to array map, then changed it because it had some weird results in the resultant array map. Of course, theirs checks to see if magic quotes is off and adds slashes to the superglobal arrays. But the same logic can be applied to removing slashes.
EDIT | I modified theirs to use
stripslashes() if
get_magic_quotes_gpc() is on...
Code: Select all
<?php
// stipslashes on all vars if magic_quotes_gpc is on
if( get_magic_quotes_gpc() )
{
if( is_array($_GET) )
{
while( list($k, $v) = each($_GET) )
{
if( is_array($_GET[$k]) )
{
while( list($k2, $v2) = each($_GET[$k]) )
{
$_GET[$k][$k2] = stripslashes($v2);
}
reset($_GET[$k]); // For some reason this had an error suppressor
}
else
{
$_GET[$k] = stripslashes($v);
}
}
reset($_GET); // For some reason this had an error suppressor
}
if( is_array($_POST) )
{
while( list($k, $v) = each($_POST) )
{
if( is_array($_POST[$k]) )
{
while( list($k2, $v2) = each($_POST[$k]) )
{
$_POST[$k][$k2] = stripslashes($v2);
}
reset($_POST[$k]); // For some reason this had an error suppressor
}
else
{
$_POST[$k] = stripslashes($v);
}
}
reset($_POST); // For some reason this had an error suppressor
}
if( is_array($_COOKIE) )
{
while( list($k, $v) = each($_COOKIE) )
{
if( is_array($_COOKIE[$k]) )
{
while( list($k2, $v2) = each($_COOKIE[$k]) )
{
$_COOKIE[$k][$k2] = stripslashes($v2);
}
reset($_COOKIE[$k]); // For some reason this had an error suppressor
}
else
{
$_COOKIE[$k] = stripslashes($v);
}
}
reset($_COOKIE); // For some reason this had an error suppressor
}
}
?>
Posted: Sat Mar 24, 2007 1:25 pm
by DanBlather
My hosting service rurned "magic_quotes_gpc on" off on my config file. I still see odd behavior. The escape of the single quotes has gone away, but the leading and trailing single quote are still included in the string itself. For example:
echo "{" . $DateTime . "}"
gives
{'2007-03-15 21:10:03'}
Before the upgrade the single quotes were not in the string. In the URL DateTime is specified:
DateTime='2007-03-15 21:10:03'
and I expected the echo above to give
{2007-03-15 21:10:03}
Posted: Sat Mar 24, 2007 1:28 pm
by Chris Corbyn
The quotes should be in the string because, well, they are in the string, so why would they be removed? Don't send the single quotes if you dont want them

Posted: Sat Mar 24, 2007 1:30 pm
by feyd
If the data in the URL has single quotes, the data in the script will have single quotes.
Posted: Sat Mar 24, 2007 6:11 pm
by DanBlather
So I wonder what changed in the upgrade? Either the single quotes didn't used to be in the arguments passed to the PHP script or SQL ignored them.