Form automatically escapes strings?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Josh1billion
Forum Contributor
Posts: 316
Joined: Tue Sep 11, 2007 3:25 pm

Form automatically escapes strings?

Post by Josh1billion »

I wrote up a simple script to test out how strings are escaped, and when I run this following example, I see that anything I type into the form is automatically escaped. For example, when I type "test'test" into the form, it will print out as "test\'test" even though I don't have any code to escape it.

My question is this: Is this a result of my web browser automatically adding the slashes upon submitting the form (tested on Firefox and IE7 and the result's the same), or is my server apparently configured to automatically add the slashes when receiving form data (which would be useful, but could potentially cause me to overlook a lack of escaping and would be a real problem if I later upload to a server which doesn't support this)?

Code: Select all

<form action="test.php" method="post">
<input type="text" name="username">
<input type="submit">
</form>
<BR><BR>


<?php
	if (isset($_POST['username']))
	{
		print $_POST['username'];
	}
?>
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

The server does it, it's called magic quotes, and it sucks big time. Look it up in the manual, then search this forum for details.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

check out magic_quotes_gpc

it is set in your php.ini file and should most certainly be turned off. It was a failed attempt to make PHP more secure out of the box for beginner programmers. What eneded up happening is giving everyone a massive headache and it was quickly turned off by default in php5. I highly recommend you turn it off because all it does is make your life that much more difficult.
User avatar
Josh1billion
Forum Contributor
Posts: 316
Joined: Tue Sep 11, 2007 3:25 pm

Post by Josh1billion »

Oh alright, cool. Thanks for the responses you guys.
Post Reply