Problem with $_POST in PHP

[gdebojyoti.mail96]

Hello,

I faced a problem while trying to use the $_POST command in PHP.

Whenever I am trying to receive a string which contains any of the characters ', ", \, the output character is accompanied by a \ character.

<?php

$mystring=$_POST["mystring"];

echo $mystring;

?>

Input: He's known as Michael "Mickey" Brown. This is a \ character.
Output: He\'s known as Michael \"Mickey\" Brown. This is a \\ character.

---------- Post added at 12:03 PM ---------- Previous post was at 12:00 PM ----------

Please note that this problem did not arise when I was using the code in my computer's localhost (Wamp); it started when I uploaded the file in my x10hosting's account.

 

[descalzo]

http://php.net/manual/en/function.stripslashes.php

Use stripslashes( $input ) on any input from forms, since the x10 servers add the slashes because magic_quotes_gpc ( http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc ) is set.

 

[Skizzerz]

I'm not sure why this is on in the first place, I'm going to talk with the admins to see if I can get that changed since it's been deprecated for years.

However, I suggest that you check the current value of magic_quotes_gpc (either via ini_get() or get_magic_quotes_gpc()) before applying stripslashes() because it will be turned off in the future (it is slated to be completely removed from a future PHP version, but it may be disabled before then).

 

[misson]

It's probably because so many neophyte developers are completely oblivious to SQL injection, and magic quotes provide at least a small measure of protection for X10's servers. IMO, the registration Turing test should be replaced with something about SQL injection, so X10 can be fairly sure the user won't create vulnerabilities on the servers.

See the various magic quotes threads on X10 for ways of easily undoing magic quotes.

Debojyoti Ghosh, make sure you understand how SQL injection works, and how to prevent it, which is mostly very simple: parameterize statements so user input is kept out of the statement. It's rather like defining a function, with certain values in the statement made into parameters.

See also:

• SQL Injection Walkthrough
• Writing MySQL Scripts with PHP and PDO
• Bobby Tables

 

[gdebojyoti.mail96]

Sorry for the very late reply.

Thanks for your advice, everyone.

By the way, 'stripslashes' solved the issue.

 

[misson]

Also, note that $_POST isn't a command, it's a variable. In some languages, there isn't much difference between code and data, but PHP isn't quite that way.