1

Possible Duplicate:
PHP, why do you escape my quotes?

If I input the text don't for example in an input field and then try to display it or save it to MySQL with PHP mysqli Prepared Statements I get an extra backslash before the single quote.

$name = $_POST['name'];
echo "name=($name)";

This outputs: don\'t and I also gets this extra backslash stored in MySQL.

How could I avoid this and still be able to input backslashes?

Regards, Magnus Strand

Community
  • 1
  • 1
Magnus Strand
  • 167
  • 6
  • 2
    Turn off [magic quotes](http://stackoverflow.com/questions/220437/magic-quotes-in-php). – DCoder Sep 21 '12 at 12:42
  • 2
    Read [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) and http://php.net/manual/en/security.magicquotes.php. – deceze Sep 21 '12 at 12:42
  • 1
    This question has been asked (and answered) before: [PHP, why do you escape my quotes?](http://stackoverflow.com/questions/6324614/php-why-do-you-escape-my-quotes) - Please do not post duplicate questions, but search for your issue to find a question that is about it first. – hakre Sep 21 '12 at 12:49
  • Interesting article deceze recommended. I also found this link useful: [link](http://stackoverflow.com/questions/1153741/how-can-i-disable-php-magic-quotes-at-runtime?rq=1). I use stripslashes now. I forgot to mention that I use PHP 5.3.10 with WordPress 3.2.1 on a Linux web hotel and with a .htaccess file I set to this `php_flag magic_quotes_gpc off` I got this setting locally turned off but not master. – Magnus Strand Sep 21 '12 at 13:35

2 Answers2

4

usage of stripslashes, 

echo stripslashes("Who\'s Kai Jim?"); //Who's Kai Jim?
Adi
  • 5,089
  • 6
  • 33
  • 47
FirmView
  • 3,130
  • 8
  • 34
  • 50
1

open your php.ini file and go to line 460 (almost) and turn off magic quotes. like

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

Keeping Magic Quotes Off is a good technique to start with your application Security. Magic quotes are inherently broken. They were meant to sanitize input to the PHP script, but without knowing how that input will be used it's impossible to sanitize correctly.

The PHP man page on magic quotes agrees:

"This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged. Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed."
ScoRpion
  • 11,364
  • 24
  • 66
  • 89