0

My PHP page is accepting a parameter in the URL. This parameter is being assigned to a variable as follows:

$msg = $_REQUEST["msg"];

When the HTTP request is sent to the website, the parameter is sent as "hello'", but when it gets to the PHP variable above it becomes "hello\'".

Why is the backslash being inserted and what is inserting it? Is it the web server? How can I prevent this happening?

hakre
  • 193,403
  • 52
  • 435
  • 836
CJ7
  • 22,579
  • 65
  • 193
  • 321
  • 3
    [PHP Magic Quotes](http://en.wikipedia.org/wiki/Magic_quotes). – DCoder Mar 11 '13 at 07:53
  • 1
    use string stripslashes ( string $str ) – X-Factor Mar 11 '13 at 07:53
  • 1
    possible duplicate of [How to turn off magic quotes in PHP configuration file? I am using XAMPP](http://stackoverflow.com/questions/1748001/how-to-turn-off-magic-quotes-in-php-configuration-file-i-am-using-xampp) or [How can I disable PHP magic quotes at runtime?](http://stackoverflow.com/questions/1153741/how-can-i-disable-php-magic-quotes-at-runtime) – hakre Mar 11 '13 at 07:55
  • @X-Factor: what do you mean? – CJ7 Mar 11 '13 at 07:56
  • @DCoder: PHP Magic Quotes is [DEPRECATED](http://php.net/manual/en/security.magicquotes.php). – fnkr Mar 11 '13 at 07:56
  • @fnkr: that is pointed out in the very first paragraph of my link... – DCoder Mar 11 '13 at 07:57

2 Answers2

1

Magic Quotes is running on you server. You should use stripslashes($text) function:

if(get_magic_quotes_gpc()) 
        $msg = stripslashes($_REQUEST["msg"]); 
   else $msg = $_REQUEST["msg"];
Ashkan Arefi
  • 665
  • 4
  • 7
-2

It is being appended cause your single quote sign is a part of the string. If it would not be escaped - that's the meaning of the backslash - it might be that your string definition is terminated too soon.

Kevin
  • 222
  • 1
  • 5