Mysterious \'

Re: Mysterious \'

Ken wrote:[color=blue]
> What is putting a \ before all single quotes in an input form? Here is
> an example:
>
> Page 1:
>
> <form action="page2.p hp">
> <input type="text" name="aninput" />
> </form>
>
> page2.php:
> ...
> echo $_GET['aninput'];
> ...
>
> If I enter "Bob's place" on page 1, then page2.php will out put "Bob\'s
> place". What is putting the \ before the single quote? Is there a way to
> stop it?[/color]

see:


M.

Re: Mysterious \'

Thanks. That will solve it, but why is it there in the first place?

noone wrote:[color=blue]
> Ken wrote:
>[color=green]
>> What is putting a \ before all single quotes in an input form? Here is
>> an example:
>>
>> Page 1:
>>
>> <form action="page2.p hp">
>> <input type="text" name="aninput" />
>> </form>
>>
>> page2.php:
>> ...
>> echo $_GET['aninput'];
>> ...
>>
>> If I enter "Bob's place" on page 1, then page2.php will out put
>> "Bob\'s place". What is putting the \ before the single quote? Is
>> there a way to stop it?[/color]
>
>
> see:
> http://us2.php.net/manual/en/function.stripslashes.php
>
> M.[/color]

Re: Mysterious \'

What you are describing is an issue that all php newbies face.

It is caused by a setting in the PHP configuration file called
magic_quotes_gp c. If this is turned on (which it is by default), all '
(single-quotes), " (double quotes), and \ (backslashs) are escaped with
a backslash automatically in the GET, POST, and COOKIE globals.

Many databases (MySQL for example) and other systems need escape
characters to handle such characters. PHP automatically adds these
slashes so you don't have to when you want to use the data in other
systems. Isn't that nice of PHP? Many people, including myself, say
NO! But it does.

You have two options:

1. Change the PHP configuration of magic_quotes_gp c to off.

2. Use the stripslashes() function to remove the escape slashes from
the posted variables. I strongly suggest that you use this method
because if you simply change the configuration, your script would not
work right on other systems not properly configured.

Re: Mysterious \'

Thanks so much for the detailed explanation!

Paul Haxter wrote:[color=blue]
> What you are describing is an issue that all php newbies face.
>
> It is caused by a setting in the PHP configuration file called
> magic_quotes_gp c. If this is turned on (which it is by default), all '
> (single-quotes), " (double quotes), and \ (backslashs) are escaped with
> a backslash automatically in the GET, POST, and COOKIE globals.
>
> Many databases (MySQL for example) and other systems need escape
> characters to handle such characters. PHP automatically adds these
> slashes so you don't have to when you want to use the data in other
> systems. Isn't that nice of PHP? Many people, including myself, say
> NO! But it does.
>
> You have two options:
>
> 1. Change the PHP configuration of magic_quotes_gp c to off.
>
> 2. Use the stripslashes() function to remove the escape slashes from
> the posted variables. I strongly suggest that you use this method
> because if you simply change the configuration, your script would not
> work right on other systems not properly configured.
>[/color]

Re: Mysterious \'

Carved in mystic runes upon the very living rock, the last words of Paul
Haxter of comp.lang.php make plain:
[color=blue]
> It is caused by a setting in the PHP configuration file called
> magic_quotes_gp c. If this is turned on (which it is by default), all '
> (single-quotes), " (double quotes), and \ (backslashs) are escaped with
> a backslash automatically in the GET, POST, and COOKIE globals.[/color]

Is it still on by default? I thought they changed that. IMO it's the
stupidest feature ever designed in PHP. Sure, it saves the step of having
to add slashes, but adds the step of having to remove them. It smacks of
MS: "We know best what you want to do with your data!"

--
Alan Little
Phorm PHP Form Processor

Re: Mysterious \'

Why not simply write your own safe addslashes function? You can then
use it on form input or whatever you wish, and regardless of the server
environment the slashes will or will not be appended as neccessary:

[PHP]
function safeAddSlashes( $str) {
if(!get_magic_q uotes_gpc()) {
if(is_array($st r)) {
$str = array_map_recur sive('stripslas hes', $str);
} else {
$str = addslashes($str );
}
}

return $str;
}
[/PHP]

So in a nutshell, if quotes are already escaped due the the magic
quotes configuration then they will not be escaped further (as ordinary
use of the addslashes() function would do). However, if magic quotes
are off then the data input into the function will be escaped. You can
use it on strings, for example if register globals is on and you are
escaping singular variables, or entire arrays, $POST for example. I
hope this helps. =]

Re: Mysterious \'

Why not simply write your own safe addslashes function? You can then
use it on form input or whatever you wish, and regardless of the server
environment the slashes will or will not be appended as neccessary:

[PHP]
function safeAddSlashes( $str) {
if(!get_magic_q uotes_gpc()) {
if(is_array($st r)) {
$str = array_map_recur sive('addslashe s', $str);
} else {
$str = addslashes($str );
}
}

return $str;
}
[/PHP]

So in a nutshell, if quotes are already escaped due the the magic
quotes configuration then they will not be escaped further (as ordinary
use of the addslashes() function would do). However, if magic quotes
are off then the data input into the function will be escaped. You can
use it on strings, for example if register globals is on and you are
escaping singular variables, or entire arrays, $POST for example. I
hope this helps. =]