开发者

PHP Escaping query string variables

开发者 https://www.devze.com 2023-02-22 11:34 出处:网络
I have created a form in my web application which has only a single text field and that field is posted to a PHP page using GET, but I am observing strange behavior. i.e. when I test it on my local se

I have created a form in my web application which has only a single text field and that field is posted to a PHP page using GET, but I am observing strange behavior. i.e. when I test it on my local server, the text is received as it was written in the text field, but when I upload it to my online server, the receive开发者_运维知识库d string is escaped automatically means, all single quotes and double quotes are escaped. e.g. If I write It's not true... then on php side I will get

$comment = $_REQUEST["comm"];
print $comment;
//will print It\'s not true... on my online server
//will print It's not true... on my local server

I am yet unable to under stand why is it so? Is there any PHP setting for escaping Query Strings variables automatically?


You have "magic quotes" enabled. They're a terrible misfeature which are luckily being removed in the next version of PHP. The PHP manual has a guide to disabling them.

In short, you need to set the following configuration items to Off in your php.ini file:

  • magic_quotes_gpc
  • magic_quotes_runtime
  • magic_quotes_sybase

Specifically, your problem appears to be with magic_quotes_gpc - the "gpc" portion being short for "GET, POST, and COOKIE" - but it's good practice to keep all of them disabled.


Code will tell you every thing what you need..

function mysql_prep($value) {
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysql_real_escape_string"); // i.e. PHP >= v4.3.0
if ($new_enough_php) { // PHP v4.3.0 or higher
    // undo any magic quote effects so mysql_real_escape_string can do the work
    if ($magic_quotes_active) {
        $value = stripslashes($value);
    }
    $value = mysql_real_escape_string($value);
} else { // before PHP v4.3.0
    // if magic quotes aren't already on then add slashes manually
    if (!$magic_quotes_active) {
        $value = addslashes($value);
    }
    // if magic quotes are active, then the slashes already exist
}
return $value;
}

create above function and pass-on values to this function

and then call the values like

$yourVar = mysql_prep($_POST['yourControlName']);

I hope you may get every thing explained via comments...


I think its a setting within the php.ini file. You can call a PHP function to disable it, but by then it's too late.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号