1

The html form accepts textarea input, and I am using $_POST value to put the input value to textarea when I am displaying it. For example.

<html>
<?php if($_POST['input'){
<form method="post" action="<?=$PHP_SELF?>">
<textarea name="input" cols="60" rows="20"><?=$_POST['input']?></textarea>
<input type="submit" value="Test it">
</form>
<?php
} else {
?>
Please copy in a text of your choice
<br /><br />
<form method="post" action="<?=$PHP_SELF?>">
<textarea name="input" cols="60" rows="20"></textarea>
<input type="submit" value="Test it">
</form>
</html>

Everything works fine except that backslash '\' is added to every single quote, and double quotes. How can I set some setting to prevent backslash from being added?

Sam
  • 113
  • 2
  • 5

3 Answers3

2

After a long search I solved this problem like this:

In your page where you want to display the textarea content, just add this

< ? php echo stripslashes($shortcode_name) ? >

Of course you need to replace $shortcode_name with your shortcode. That is all. SOLVED

ronalchn
  • 12,225
  • 10
  • 51
  • 61
Narcis
  • 21
  • 2
2

Disable magic quotes - see http://php.net/manual/en/security.magicquotes.php - if you're on shared hosting and your hoster is stupid and doesn't want to / let you change it (see that page for why it is stupid), use stripslashes() on every value you get out ouf the $_GET, $_POST, $_COOKIE arrays.

On a side note, don't echo input values back (that includes PHP_SELF) into the HTML output without sending them through htmlspecialchars(), or you have security issues. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.

etarion
  • 16,935
  • 4
  • 43
  • 66
  • but be careful! those backslashes are there to prevent sql-injections - not the best way, but the php way... – rdmueller Feb 07 '11 at 18:22
  • 2
    Exactly. In ADDITION use `=htmlspecialchars($_POST['input'])?>` instead of `=$_POST['input']?>`. Otherwise you may get unexpected results (such es invalid html as output) or this could even be used for malicious intentions (XSS). – yankee Feb 07 '11 at 18:23
  • 1
    No, "the PHP way" is to use `mysqli_real_escape_string` or prepared statements or whatever the database connector offers - magic quotes are always a mistake. – etarion Feb 07 '11 at 18:24
  • you are right - that's the "good" php way. But I get the impression that most hoster configure the magic quotes in order to help beginners not to make too big mistakes - that's why you find those magic quotes often in php environments and nowhere else :-) – rdmueller Feb 07 '11 at 19:25
0

You can also use stripslashes.

<textarea name="input" cols="60" rows="20"><?php echo stripslashes($_POST['input']); ?></textarea>
Arvin
  • 2,272
  • 14
  • 10