PHP adding backslashes to POST data

Question

I have a form that submits to a database. But before it enters the database the submitted data is output on the screen. Currently, if I have "Mike's" submitted, it outputs "Mike\'s".

I have tried the below code to see if it is Magic Quotes, but this has not helped.

if ((function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc()) ||
    ini_get('magic_quotes_sybase')
   ) {

    foreach($_GET as $k => $v)
        $_GET[$k] = stripslashes($v);
    foreach($_POST as $k => $v)
        $_POST[$k] = stripslashes($v);
    foreach($_COOKIE as $k => $v)
        $_COOKIE[$k] = stripslashes($v);
}

What should I look for?

Use `phpinfo()` to see if magic quotes is turned on just to definitely rule it out. — John Conde, Mar 05 '14 at 16:17
I'm running version 5.4 so I don't think there is even magic quotes within it — Somk, Mar 05 '14 at 17:16
Does the data in the database have the character escapes in it? — Josiah Hudson, Mar 30 '16 at 14:24
Related: *[With “magic quotes” disabled, why does PHP/WordPress continue to auto-escape my POST data?](https://stackoverflow.com/questions/8949768)* — Peter Mortensen, Dec 01 '19 at 01:40

score 0 · Answer 1 · edited Mar 05 '14 at 16:41

0

Note: To sanitize the string

<?php

    $mike = "Mike's";

    echo filter_var($mike, FILTER_SANITIZE_STRING);

?>

edited Mar 05 '14 at 16:41

Wesley Bland

8,816
3
44
59

answered Mar 05 '14 at 16:22

CS GO

914
6
20

The suspense! What is it supposed to achieve (in that example)? Is the string changed in any way? If it is changed, what is it changed to? – Peter Mortensen Dec 01 '19 at 00:28

score 0 · Answer 2 · edited Dec 01 '19 at 00:30

0

There's a possibility it's in the code you're using to output to the screen.

If you were, for instance, using var_export(), one would expect to see character escapes on apostrophes.

edited Dec 01 '19 at 00:30

Peter Mortensen

30,738
21
105
131

answered Mar 05 '14 at 16:25

Josiah Hudson

1,015
8
14

score 0 · Answer 3 · edited May 23 '17 at 12:24

Despite looking like a constant, editing $_POST should work. Then again, your code didn't work for me, either.

This works:

function getReq($key){
    return isset($_REQUEST[$key]) ? stripslashes($_REQUEST[$key]) : "";
}

I haven't found why PHP (5.3.0 on WAMPSERVER 2.0 in my case) seems to magically change POST data while get_magic_quotes_gpc() returns 0, and frankly don't care to waste more time on its dirty innards.

score 0 · Answer 4 · answered Dec 01 '19 at 00:38

It seems silly to answer after all these years but I see your post is active so i'll try.

First try this function stripslashes(). Doc: (https://www.php.net/manual/en/function.stripslashes.php)

Should this not work.

Do you display the data directly from the $_POST variable or retrieve it from the DB? It might be saved as is in the DB and that would mean a UTF8 convert issue.

I kept my answer short and don't wish to add more unncessary info unless you need it.

PHP adding backslashes to POST data

4 Answers4