Posted values with apostrophes not escaped in PHP 7

Asked Apr 27 '17 at 11:49

Active Apr 27 '17 at 11:52

Viewed 88 times

We are currently upgrading our site from PHP 5.3 to 7.1 and have noticed that apostrophes in posted values are not escaped.

E.g.,

echo $_POST['surname']
//returns O\'Brady in PHP 5
//returns O'Brady in PHP 7

This causes problems for us later on when these values are used in MySQL queries.

Can anyone suggest why this is happening and is there a simple workaround for it?

asked Apr 27 '17 at 11:49

user7930253

3

When the magic_quotes config setting is on, all `'` (single-quote), `"` (double quote), `\\` (backslash) and NUL's are escaped with a backslash automatically.... but [magic_quotes](http://php.net/manual/en/security.magicquotes.php) was deprecated in 5.3.0, and should no longer exist since 5.4.0 – Mark Baker Apr 27 '17 at 11:51
1

In other words: this is nothing in the language that has changed between versions, but inside the configuration. – arkascha Apr 27 '17 at 11:53
So is the only option to update every query with addslashes? – user7930253 Apr 27 '17 at 13:08
No! The best option is to use prepared statements with bind variables – Mark Baker Apr 27 '17 at 15:21

0 Answers0