where do the backslashes (\) come from?

Re: where do the backslashes (\) come from?

"Robert Stearns" <rstearns1241@c harter.net> wrote in message
news:10g69sg6q1 6bt08@corp.supe rnews.com...[color=blue]
> Whenever I enter an apostrophe (') into a text box I receive \'. The
> same behavior obtains with both get and post. Is there a php setting
> which causes this (to me, at least) bizarre behavior? Or one to shut it[/color]
off?[color=blue]
>[/color]

Set the magic_quotes_gp c directive in php.ini to Off. Or if you don't have
access to php.ini, check out the get_magic_quote s_gpc() function
(http://us2.php.net/get-magic-quotes-gpc).

- JP

Re: where do the backslashes (\) come from?

I noticed that Message-ID: <10g69sg6q16bt0 8@corp.supernew s.com> from
Robert Stearns contained the following:
[color=blue]
>Whenever I enter an apostrophe (') into a text box I receive \'. The
>same behavior obtains with both get and post. Is there a php setting
>which causes this (to me, at least) bizarre behavior? Or one to shut it off?[/color]

It's not bizarre. Apostrophes need to be escaped to prevent them being
seen as part of the script. If you were to turn magic quotes off, you'd
still have to use addslashes() to put them in.

Use stripslashes() to remove them.

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Re: where do the backslashes (\) come from?

In article <mTFMc.164394$J R4.23280@attbi_ s54>,
"kingofkolt " <jessepNOSPAM@c omcast.net> writes:[color=blue]
> "Robert Stearns" <rstearns1241@c harter.net> wrote in message
> news:10g69sg6q1 6bt08@corp.supe rnews.com...[color=green]
>> Whenever I enter an apostrophe (') into a text box I receive \'. The
>> same behavior obtains with both get and post. Is there a php setting
>> which causes this (to me, at least) bizarre behavior? Or one to shut it[/color]
> off?[color=green]
>>[/color]
>
> Set the magic_quotes_gp c directive in php.ini to Off. Or if you don't have
> access to php.ini, check out the get_magic_quote s_gpc() function
> (http://us2.php.net/get-magic-quotes-gpc).[/color]

I'm no PHP "guru," but this strikes me as... questionable advice.
Wouldn't it be safer, and more secure, to use stripslashes() where
you know you don't want them?

--
Jim Seymour | PGP Public Key available at:
WARNING: The "From:" address | http://www.uk.pgp.net/pgpnet/pks-commands.html
is a spam trap. DON'T USE IT! |
Use: jseymour@LinxNe t.com | http://jimsun.LinxNet.com

Re: where do the backslashes (\) come from?

On Sun, 25 Jul 2004 16:06:41 -0000
jseymour@LinxNe t.com (Jim Seymour) wrote:
[color=blue]
> In article <mTFMc.164394$J R4.23280@attbi_ s54>,
> "kingofkolt " <jessepNOSPAM@c omcast.net> writes:[color=green]
> > "Robert Stearns" <rstearns1241@c harter.net> wrote in message
> > news:10g69sg6q1 6bt08@corp.supe rnews.com...[color=darkred]
> >> Whenever I enter an apostrophe (') into a text box I receive \'.[/color]
> >The> same behavior obtains with both get and post. Is there a php
> >setting> which causes this (to me, at least) bizarre behavior? Or one
> >to shut it
> > off?[color=darkred]
> >>[/color]
> >
> > Set the magic_quotes_gp c directive in php.ini to Off. Or if you
> > don't have access to php.ini, check out the get_magic_quote s_gpc()
> > function(http://us2.php.net/get-magic-quotes-gpc).[/color]
>
> I'm no PHP "guru," but this strikes me as... questionable advice.
> Wouldn't it be safer, and more secure, to use stripslashes() where
> you know you don't want them?
>[/color]

Yeah... That would probably be the safest way to deal with it...


--
Anders K. Madsen --- http://lillesvin.linux.dk

"There are 10 types of people in the world.
Those who understand binary - and those who don't."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBA9/flNHJe/JASHcRAu+rAJ9rI 7dqOBT1iTBS4NEQ arrTPc4lUwCbBMn s
SKq+wuLLxfVqb92 iza2N7S4=
=LdRr
-----END PGP SIGNATURE-----

Re: where do the backslashes (\) come from?

"Jim Seymour" <jseymour@LinxN et.com> wrote in message
news:10g7mkh8ti 9769c@corp.supe rnews.com...[color=blue]
> In article <mTFMc.164394$J R4.23280@attbi_ s54>,
> "kingofkolt " <jessepNOSPAM@c omcast.net> writes:[color=green]
> > "Robert Stearns" <rstearns1241@c harter.net> wrote in message
> > news:10g69sg6q1 6bt08@corp.supe rnews.com...[color=darkred]
> >> Whenever I enter an apostrophe (') into a text box I receive \'. The
> >> same behavior obtains with both get and post. Is there a php setting
> >> which causes this (to me, at least) bizarre behavior? Or one to shut it[/color]
> > off?[color=darkred]
> >>[/color]
> >
> > Set the magic_quotes_gp c directive in php.ini to Off. Or if you don't[/color][/color]
have[color=blue][color=green]
> > access to php.ini, check out the get_magic_quote s_gpc() function
> > (http://us2.php.net/get-magic-quotes-gpc).[/color]
>
> I'm no PHP "guru," but this strikes me as... questionable advice.
> Wouldn't it be safer, and more secure, to use stripslashes() where
> you know you don't want them?
>
> --
> Jim Seymour | PGP Public Key available at:
> WARNING: The "From:" address |[/color]
http://www.uk.pgp.net/pgpnet/pks-commands.html[color=blue]
> is a spam trap. DON'T USE IT! |
> Use: jseymour@LinxNe t.com | http://jimsun.LinxNet.com[/color]

Well, I guess I was supposing that Robert's situation was this: a user
enters text into a textbox and submits it and the text is entered into a
database. In that case, probably the best way to deal with the "magic
quotes" is to use something like this:

if (!get_magic_quo tes_gpc()) {
$data=addslashe s($_POST['data']);
}

as in the example at PHP.net. I suppose the best solution depends on how
Robert wants to use the text immediately...

- JP

Re: where do the backslashes (\) come from?

In article <25SMc.161854$I Q4.137836@attbi _s02>,
"kingofkolt " <jessepNOSPAM@c omcast.net> writes:
[snip][color=blue]
>
> Well, I guess I was supposing that Robert's situation was this: a user
> enters text into a textbox and submits it and the text is entered into a
> database. In that case, probably the best way to deal with the "magic
> quotes" is to use something like this:
>
> if (!get_magic_quo tes_gpc()) {
> $data=addslashe s($_POST['data']);
> }
>
> as in the example at PHP.net. I suppose the best solution depends on how
> Robert wants to use the text immediately...[/color]

I won't argue with that. In fact: Unless he has direct control over
the server, the above would be a very good idea.

My point was that, if he *does* have control over the server, it's
safer to leave magic_quotes_gp c on, and use stripslashes() on the
variables in which he knows he doesn't want the escapes. He's less
likely to have a security problem if he fails to run stripslashes()
when he meant to than he would failing to run addslashes() when he
needs to.

Then again: I'm one of those dinosaurs that believes in application-
layer proxy firewalls and "That which isn't explicitly allowed, is
denied" policy ;).

--
Jim Seymour | PGP Public Key available at:
WARNING: The "From:" address | http://www.uk.pgp.net/pgpnet/pks-commands.html
is a spam trap. DON'T USE IT! |
Use: jseymour@LinxNe t.com | http://jimsun.LinxNet.com

Re: where do the backslashes (\) come from?

Jim Seymour wrote:
[color=blue]
> In article <25SMc.161854$I Q4.137836@attbi _s02>,
> "kingofkolt " <jessepNOSPAM@c omcast.net> writes:
> [snip]
>[color=green]
>>Well, I guess I was supposing that Robert's situation was this: a user
>>enters text into a textbox and submits it and the text is entered into a
>>database. In that case, probably the best way to deal with the "magic
>>quotes" is to use something like this:
>>
>>if (!get_magic_quo tes_gpc()) {
>> $data=addslashe s($_POST['data']);
>>}
>>
>>as in the example at PHP.net. I suppose the best solution depends on how
>>Robert wants to use the text immediately...[/color]
>
>
> I won't argue with that. In fact: Unless he has direct control over
> the server, the above would be a very good idea.
>
> My point was that, if he *does* have control over the server, it's
> safer to leave magic_quotes_gp c on, and use stripslashes() on the
> variables in which he knows he doesn't want the escapes. He's less
> likely to have a security problem if he fails to run stripslashes()
> when he meant to than he would failing to run addslashes() when he
> needs to.
>
> Then again: I'm one of those dinosaurs that believes in application-
> layer proxy firewalls and "That which isn't explicitly allowed, is
> denied" policy ;).
>[/color]
Thanks everyone for your input on this question. In my case, input
strings are either put into the database or compared to strings already
there. My DBMS's ( DB2 ) way of quoting apostrophes is to double them,
which I am doing on variables of type character and varchar. I never
execute strings directly from the client, thus the risk is minimal, so
I'm going with magic_quotes_gp c off.