Page 1 of 1

Form automatically escapes strings?

Posted: Tue Dec 11, 2007 3:32 am
by Josh1billion
I wrote up a simple script to test out how strings are escaped, and when I run this following example, I see that anything I type into the form is automatically escaped. For example, when I type "test'test" into the form, it will print out as "test\'test" even though I don't have any code to escape it.

My question is this: Is this a result of my web browser automatically adding the slashes upon submitting the form (tested on Firefox and IE7 and the result's the same), or is my server apparently configured to automatically add the slashes when receiving form data (which would be useful, but could potentially cause me to overlook a lack of escaping and would be a real problem if I later upload to a server which doesn't support this)?

Code: Select all

<form action="test.php" method="post">
<input type="text" name="username">
<input type="submit">
</form>
<BR><BR>


<?php
	if (isset($_POST['username']))
	{
		print $_POST['username'];
	}
?>

Posted: Tue Dec 11, 2007 4:37 am
by Mordred
The server does it, it's called magic quotes, and it sucks big time. Look it up in the manual, then search this forum for details.

Posted: Tue Dec 11, 2007 4:37 am
by shiznatix
check out magic_quotes_gpc

it is set in your php.ini file and should most certainly be turned off. It was a failed attempt to make PHP more secure out of the box for beginner programmers. What eneded up happening is giving everyone a massive headache and it was quickly turned off by default in php5. I highly recommend you turn it off because all it does is make your life that much more difficult.

Posted: Tue Dec 11, 2007 4:55 am
by Josh1billion
Oh alright, cool. Thanks for the responses you guys.