0

Possible Duplicate:
PHP 5.3 automatically escapes $_GET/$_POST from form strings?

I have a problem that I cannot fix. I have search functionality on my website that passes variables. Some of the url variables may have apostrophes in them. For example:

http://xyz.php?var=that's

My problem is that when the variables are passes it adds a \ to escape the apostrophe. Then when i click a paging button it will escape the escape adding \. Is there a way to stop the escaping of the url. It works fine with it returns the apostrophe or only escapes once.

http://xyz.php?var=that's or http://xyz.php?var=that\'s

but when i paginate it escapes the escape and 

> http://xyz.php?var=that\\\'s

when it escape the escape adding multiple slashes it breaks my search or returns no results.

Does any one know of the php function to stop this from escaping the escape or not escaping the url at all. Thank you.

Community
  • 1
  • 1
user982853
  • 2,470
  • 14
  • 55
  • 82

2 Answers2

0

Probably prevent automatic add slashes while using parse_str?

// Turn off magic_quotes_runtime
if (get_magic_quotes_runtime())
    set_magic_quotes_runtime(0);

// Strip slashes from GET/POST/COOKIE (if magic_quotes_gpc is enabled)
if (get_magic_quotes_gpc())
{
    function stripslashes_array($array)
    {
        return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
    }

    $_GET = stripslashes_array($_GET);
    $_POST = stripslashes_array($_POST);
    $_COOKIE = stripslashes_array($_COOKIE);
}

And see stripslashes, if you don't happy with disabling of magic_quotes.

Community
  • 1
  • 1
Anton Bessonov
  • 9,208
  • 3
  • 35
  • 38
  • I turned on magic_quotes_sybase and now it does not escape the ' and looks to work fine but I wanted to ask if turning this on causes any problems or risk? Thank you. – user982853 Oct 20 '12 at 20:01
  • Yes, it can. For example if you use CMS or Blog what relies on escaping, you get security holes (but I think every good CMS not relies on escapeping. If you coding website self, you should filter user input anyway. Never write "SELECT * FROM table WHERE id = ". $_GET['id']; – Anton Bessonov Oct 20 '12 at 20:27
0

To escape URL parameters, you use urlencode() (or urldecore, to decode url)

When you put the variable value inside a query, you use mysql_real_escape_string()

<a href="search.php?var=<? echo urlencode("something isn't right");?>">search</a>

and

mysql_query("SELECT .. WHERE x = '" . mysql_real_escape_string($_GET['var']) . "'");

and you should be fine.

Disable magic quotes, if they're enabled in servers configuration!

Mārtiņš Briedis
  • 17,396
  • 5
  • 54
  • 76