"slash before every quote" problem [duplicate]

mysql security html php

I have a php page which contains a form.

Sometimes this page is submitted to itself (like when pics are uploaded).

I wouldn't want users to have to fill in every field again and again, so I use this as a value of a text-input inside the form:

value="<?php echo htmlentities(@$_POST['annonsera_headline'],ENT_COMPAT,'UTF-8');?>">

This works, except it adds a "\" sign before every double-quote...

For instance writing 19" wheels gives after page is submitted to itself:

  19\" wheels

And if I don't even use htmlentities then everything after the quotes dissappears.

What is the problem here?

UPDATE:

Okay, so the prob is magic_quotes... This is enabled on my server...

Should I disable it? I have root access and it is my server :)

Whats the harm in disabling it?


Looks like you have magic quotes turned on. Use below condition using stripslashes with whatever text you want to process:

if(get_magic_quotes_gpc())
{
   $your_text = stripslashes($your_text);
}

Now you can process $your_text variable normally.

Update:

Magic quotes are exaplained here. For well written code there is normally no harm in disabling it.


You likely have magic quotes turned on. You need to stripslashes() it as well.

Nicest way would be to wrap this in a function:

function get_string($array, $index, $default = null) {
    if (isset($array[$index]) && strlen($value = trim($array[$index])) > 0) {
        return get_magic_quotes_gpc() ? stripslashes($value) : $value;
    } else {
        return $default;
    }
}

Which you can use as

$annonsera_headline = get_string($_POST, 'annonsera_headline');

By the way:

And if I don't even use htmlentities then everything after the quotes dissappears.

It's actually still there in the HTML source, you only don't see it. Do a View Source ;)

Update as per your update: the magic quotes is there to prevent SQL injection attacks in code of beginners. You see this often in 3rd party hosts. If you really know what you're doing in the code, then you can safely turn it off. But if you want to make your code distributable, then you'll really take this into account when gathering request parameters. For this the above function example is perfectly suitable (you only need to write simliar get_boolean(), get_number(), get_array() functions yourself).


Yes, you should disable magic quotes if you can. The feature is deprecated, and will likely go away completely in the future. If you've relied on magic quotes for escaping data (for instance when inserting it into a database) you will may be opening yourself up to sql injection vulnerabilities if you disable it. You should check all your queries and make sure you're using mysql_real_escape_string().

I include the following file to undo magic quotes in apps that are deployed to servers not under my control.

<?php
set_magic_quotes_runtime(0);

function _remove_magic_quotes(&$input) {
    if(is_array($input)) {
        foreach(array_keys($input) as $key) _remove_magic_quotes($input[$key]);
    }
    else $input = stripslashes($input);
}
if(get_magic_quotes_gpc()) {
    _remove_magic_quotes($_REQUEST);
    _remove_magic_quotes($_GET);
    _remove_magic_quotes($_POST);
    _remove_magic_quotes($_COOKIE);
}

return true;
?>

Related

how to calculate difference between two dates using java [duplicate]
DateTime.TryParse century control C#
OutOfMemoryException while populating MemoryStream: 256MB allocation on 16GB system
How to run an external program, e.g. notepad, using hyperlink?
NumPy 1.21.2 may not yet support Python 3.10
Python string.strip stripping too many characters [duplicate]
MySqlCommand Command.Parameters.Add is obsolete
Is auto as a parameter in a regular function a GCC 4.9 extension?
Ruby multiline block without do end
How do I print escape characters in Java?
Safe Alternative to gets [duplicate]
Reversing an MD5 Hash [duplicate]