form gives me back characters " and ' with a \

[breaststroke]

Hello!This is a strange issue for me.I have been using a form inside php code for a while.I have some textareas and text inputs inside.It used to work fine. But now, I can't figure out why, the texts I enter into any of those inputs, even creating the most simple one, give me back the characters:" and ' like in:("hello" I can't),this way:\" and \' like "\hello\" I can\'t),so now they appear with the \ character just before those characters.Testing, even creating this simple form:

$hello=$_REQUEST['hello'];echo $hello;print<<<HERE<form method="post" action=""><input type="text" name="hello"/>....</form><button type="submit">Submit</button>..

it gives me back those characters that way and no matter what page I address the form to.I have this meta tag on my page (as I have been having for a while , while it worked fine):<meta http-equiv="Content-type" content="text/html; charset=utf-8"/>So I don't know what is happening. I would appreciate any idea.Thank you in advance, regards

[justsomeguy]

I use this function to get values from $_POST or $_GET:

function form_var($str, $def = ''){  $retval = $def;  if (isset($_POST[$str]))	$retval = $_POST[$str];  elseif (isset($_GET[$str]))	$retval = $_GET[$str];  if (is_array($retval))  {	foreach ($retval as $k => $v)	{	  $retval[$k] = trim($v);	  if (get_magic_quotes_gpc())		$retval[$k] = stripslashes($v);	}  }  else  {	$retval = trim($retval);	if (get_magic_quotes_gpc())	  $retval = stripslashes($retval);  }  return $retval;}

e.g.:$name = form_var('name');$var = form_var('var', 'default value');The part that solves your issue is the part where it checks for magic quotes and uses stripslashes.

[birbal]

..and you can also set it the magic quotes off by setting the 'magic_quote_gpc' and 'magic_quote_runtime' 'off' from your php.ini or by using ini_set() at the runtime. Magic quote is now deprecated .

[jeffman]

Are you sure about ini_set? A 2002 editors note in the online manual points out that $_POST data will already have been populated before ini_set executes, so magic quotes will already have done it's work. I don't know if that has changed in more recent versions.

[birbal]

Are you sure about ini_set? A 2002 editors note in the online manual points out that $_POST data will already have been populated before ini_set executes, so magic quotes will already have done it's work. I don't know if that has changed in more recent versions.

sorry.Its my mistake. I relaise it now. and checking the ini directive remind me that magic_quote_gpc is PHP_INI_PERDIR which can be changed from directory based php.ini or system php.ini.thanks for correcting me.

[breaststroke]

sorry.Its my mistake. I relaise it now. and checking the ini directive remind me that magic_quote_gpc is PHP_INI_PERDIR which can be changed from directory based php.ini or system php.ini.thanks for correcting me.

Hello again,thank you very much for your answers!.I have tried that function, justsomeguy, and it works fine. I think it will be very useful for me.I didn't have any idea about this matter concerning magic quotes.I have been looking into it on the internet and I have come across the php.net/manual page.It seems it says magic_quote_gpc can't be deactivated through ini set(), as you say. It suggests another way to do it other than on php.ini (I don't think I have access to it). It is on .htaccess, and just adding:php_flag magic_quotes_gpc Off.I am not used to work on .htaccess at all, but it seems an easy solution.I don't know whether doing that has the exactly same effect that adding that function or not. I will find it out and at the same time learn more about this problem.Thank you again, regards

[jeffman]

Yeah. You mentioned php.ini before, and that definitely works.

[justsomeguy]

It suggests another way to do it other than on php.ini (I don't think I have access to it). It is on .htaccess, and just adding:php_flag magic_quotes_gpc Off.I am not used to work on .htaccess at all, but it seems an easy solution.I don't know whether doing that has the exactly same effect that adding that function or not.

I wouldn't say "exactly the same effect", but the good thing about that function is that it will work regardless of what the magic quotes setting is, so you can move your code between servers and not worry about things like magic quotes.

[jeffman]

Quite true. The guys who run the server where I work do not thoroughly understand their job. I once copied a script to this server and was very surprised.

[breaststroke]

Hello again,I am having a problem with that function justsomeguy.It ´s true that it lets me get the values with magic quotes and stripslashes, but when it comes for those values to enter my database by an INSERT query, I get a warning and the query is not submitted.How could I solve this?. Can I make anything on those variables before making the query for them to be "accepted"?.Thank you in advance, regards

[justsomeguy]

What is the error message? It will also help to show your code.

[breaststroke]

Hello,this is the error I get:"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't "yep"','0','7200','positivo')' at line 7"The 't and "yep " are characters that I get into "comment" input to be tested.This is the way I make the query (it works well when I don't use that function to get the variables) :

include('conexion.php');$registros=mysql_query("INSERT INTO tabla(code,name ,age,...,comment,time,....text)  values('$code,'$_REQUEST[name]','$_REQUEST[age]',...,'$comment','$time',....,'$text')",$conexion)or die(mysql_error());

This is the part of my form (it is sending the variables to the other page, and I can get their value correctly with that function, as I said yesterday):

..<form method="post" action="secondpage.php"><table>....<tr ><td >Comment:<br /><textarea name="comment"  rows="15" cols="45"  onkeypress="return validar(event,this);" onkeyup="maximo(this,1000); padding=10px;" onkeydown="maximo(this,1000);"></textarea></td></tr>..<button type="submit">Submit</button></td></tr></table></form>

This is how I get the variable 'comment' on secondpage.php, before making the query:

$comment = form_var('comment');//or like this:form_var('comment','default value')

I have tried to simplify since both pages are about two thousand lines long.Thank you in advance, regards

[justsomeguy]

You need to escape the values going into the query. The query is failing because there's a single quote in a word like "don't" which is not escaped and messing up the value. The mysql_real_escape_string function is what you use to escape string values going into a query:http://www.php.net/manual/en/function.mysq...cape-string.php

[breaststroke]

hello,thank you very much justsomeguy, it seems to work fine again.What I don't understand is why this has happened all of a sudden. I had been using that form for weeks without that type of problem; and for example , now on a textarea of another page (not form, just using Update query ) I have been forced to use the function you have just provided me just before the query (without having had to use the: "$name = form_var('name');" function before.Still strange for me. I don't know if these things can be caused because of some change on my server.Thank you in any case for your valuable help,regards

[birbal]

What I don't understand is why this has happened all of a sudden. I had been using that form for weeks without that type of problem

it was working before well cause your magic quote was enabled that time and every inputed data was escaped when you enter something in a form.But when you put it off or use the function to strip of it become unescaped and you have to manualy use the mysql_real_escape_string to escape the data which need to be esacaped,for the same reason as justsomeguy has elaborated.you may want to check these linkhttp://www.php.net/manual/en/security.magicquotes.whynot.php

[breaststroke]

Hi birbal,thank you for your comment and explanation.I think I more or less understood that . That using the first function to unescape those characters I have to "escape" them again to insert them in my database.But what is strange (for me) is the fact that I didn't need to unescape those characters untill now. The link that you have provided me and that I was also checking a little yesterday says it has been recently updated.So maybe magic quotes have been very recently declared deprecated and that's why not until now I have needed to "escape" those characters.Regards, and thank you so much again.

[justsomeguy]

So maybe magic quotes have been very recently declared deprecated and that's why not until now I have needed to "escape" those characters.

It's been deprecated since 5.3, which is almost 2 years old now. It's possible that the magic quotes setting was recently changed on your server for whatever reason.

[breaststroke]

hello,thank you justsomeguy again,I may start to consider the server a new variable, somehow, hehe, as if we worked with few:PThank you all. I couldn't expect more help on this issue.Best regards.