0

I've a html form which handle by Php. When I submit the form it's show a backslashes if i write for example: 5 rue de l'ourq. If a again submit the form because of I wrongly input any other field of the form then it's show 5 rue de l\'ourq and again 5 rue de l\\'ourq. This is happened in address filed.

Php Variable:

$address = $_POST['address'];   
$title = inputvalid($_POST['title']);   
$f_name = inputvalid($_POST['f_name']);

The problem is $address variable. I don't why it's show the backslashes. That's why I didn't put inputvalid function to that variable but can't fix this. Any idea ?

Alex Mojum
  • 19
  • 3
  • 4
    Check `magic_quotes_gpc` option in your php.ini file and set it to `Off`. My answer is below. – TheJSB Mar 29 '13 at 13:15
  • Perhaps the [addslashes()](http://php.net/manual/en/function.addslashes.php) function, so you need [stripslashes()](http://www.php.net/manual/en/function.stripslashes.php) also – Ron van der Heijden Mar 29 '13 at 13:15
  • there probably is an issue in your character escaping prior to database insertion. Using prepared statements would solve the problem. – Sebas Mar 29 '13 at 13:15

5 Answers5

6

Sounds like you have magic_quotes turned on. You need to turn them off in you php settings.

If you can't turn off magic_quotes, I would make the first thing your inputvalid() function does is check to see if magic_quotes are enabled, if they are then stripslashes() on values.

http://php.net/manual/en/security.magicquotes.disabling.php

According to link above you can simulate disabling at runtime by adding the following code, but it is really just doing the same thing as I said above, checking if magic_quotes are on then stripslashes() on input arrays:

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}
Pitchinnate
  • 7,517
  • 1
  • 20
  • 37
0

PHP adds backslashes to escape the ' because it would literally mean the opening of a string.

Use stripslashes() to remove them.

Xenolithic
  • 210
  • 1
  • 11
0

Your inputvalid function is preventing SQL injections which are used to load and modify information from your database. The function escapes ' and " to prevent the injections. Your code should be able to translate those escaped characters back to a human-readable form after loading the information from the database.

Luceos
  • 6,629
  • 1
  • 35
  • 65
0

Put this in your config file:

ini_set('magic_quotes_gpc', 'off');

OR, if this is not allowed on your server, put this in config:

##/ Special Code to stop get_magic_quotes_gpc
function stop_magic_quotes($in)
{
    $out = $in;

    if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
    {
        if(is_array($out))
        {
            foreach($out as $k=>$v)
            {
                $v = stop_magic_quotes($v);
                $out[$k] = $v;
            }
        }
        else
        {
            $out = stripslashes($out);
        }
    }

    return $out;
}//end func................

if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
    $_GET = array_map('stop_magic_quotes', $_GET);
    $_POST = array_map('stop_magic_quotes', $_POST);
}//end if....
Raheel Hasan
  • 5,753
  • 4
  • 39
  • 70
0

From my comment to this question:

Check magic_quotes_gpc option in your php.ini file and set it to Off. Don't forget to restart the php process. If you don't have a direct access to the php.ini file, try this:

 <?php ini_set('magic_quotes_gpc', 'Off'); ?>
TheJSB
  • 151
  • 1
  • 9