开发者

Baffled by PHP escaping of double-quotes in HTML forms

问答 作者:

I have a simple PHP script I use to front-end an SQLite database. It's nothing fancy or complex. But I have noticed from looking at the records in the database that anything I enter in a form-field with dou开发者_如何学JAVAble-quotes comes across in the form-processing as though I'd escaped the quotes with a backslash. So when I entered a record with the title:

British Light Utility Car 10HP "Tilly"

what shows up in the database is:

British Light Utility Car 10HP \"Tilly\"

I don't know where these are coming from, and what's worse, even using the following preg_replace doesn't seem to remove them:

$name = preg_replace('/\\"/', '"', $_REQUEST['kits_name']);

If I dump out $name, it still bears the unwanted \ characters.

You have most probably magic_quotes_gpc set to on in php.ini. If you want to avoid that and use your own regex, make a check like this:

if (get_magic_quotes_gpc())
{
   $mytext = stripslashes($your_text);
}

// and your further code....

This means your server has magic_quotes_gpc enabled.

You can use ini_set() to disable this setting, or you can create a method to filter the $_REQUEST values()

function getRequest($key)
{
  $val = $_REQUEST[$key];
  if(get_magic_quotes_gpc() == 1) {
    $val = stripslashes($val);
  }
  return $val;
}

echo getRequest('kits_name');

Is it possible magic quotes are enabled on the server?

You probably have magic quotes turned on.

You should disable these as it's bad practice and is deprecated.

View this doc to learn how to disable them.

Well because of lack of good answers.
As they said above, it is because magic quotes on.
You have to get rid of these slashes before inserting your data. So, to get rid of it you can use either .htaccess (if any) with these settings

php_flag magic_quotes_gpc 0
php_flag magic_quotes_runtime 0

or make it manually, with code like this

if ( get_magic_quotes_gpc( ) ) {
  $_GET = array_map_recursive('stripslashes', $_GET) ;
  $_POST = array_map_recursive('stripslashes', $_POST) ;
  $_COOKIE = array_map_recursive('stripslashes', $_COOKIE) ;
  $_REQUEST = array_map_recursive('stripslashes', $_REQUEST) ;
  if (isset($_SERVER['PHP_AUTH_USER'])) stripslashes($_SERVER['PHP_AUTH_USER']); 
  if (isset($_SERVER['PHP_AUTH_PW'])) stripslashes($_SERVER['PHP_AUTH_PW']);
}

if your php version doesn't support array_map_recursive function, you can use a recursive function like this one

function strips(&$el) { 
  if (is_array($el)) 
    foreach($el as $k=>$v) 
      strips($el[$k]); 
  else $el = stripslashes($el); 
}

or write your own one You can use this code co cleanse your existing data

As for

If I dump out $name, it still bears the unwanted \ characters.

it may be result of wrong use htmlspecialchars function

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9