$_POST (and possibly $_GET) may or may not be already escaped by server depending on host?

[rain13]

Hello.

 

 

I tried to POST

'"

On my localhost $_POST['test'] shows '" unescaped string exactly as it is

On other host that had some old PHP and possibly different configuration as well $_POST['test'] shows '" which as you can see is escaped.Does anyone know what php setting specify wether to escape POST (and possibly GET too?) by default or not? Or what other characters get escaped?I did not call any functions by myself. It's escaped by host PHP itself.

 

 

My software is coded to work with unescaped $_POST and escaping chars by PHP itself causes it display garbage string in posts since.Is there way to disable this auto escaping by server? Or is there way to detect if it's on? Because if I write function that would unescape whole POST array then on servers that doesn't escape POST data by default it would cause data loss.

[Mudsaf]

Your php.ini file prob have magic_quotes enabled. Edit your php.ini and disable it.

magic_quotes_gpc = Off

[rain13]

Thanks.

[justsomeguy]

You can use get_magic_quotes_gpc to detect if it is enabled, and use stripslashes on get, post, and cookie data if so. A function like this will get input from either $_GET or $_POST and strip slashes if necessary:

 

 

function form_var($var, $default = ''){  $retval = $default;  if (isset($_POST[$var]))    $retval = $_POST[$var];  elseif (isset($_GET[$var]))    $retval = $_GET[$var];  if (is_array($retval))  {    foreach ($retval as $k => $v)    {      $retval[$k] = trim($v);      if (get_magic_quotes_gpc())        $retval[$k] = stripslashes($v);    }  }  else  {    $retval = trim($retval);    if (get_magic_quotes_gpc())      $retval = stripslashes($retval);  }  return $retval;}

[rain13]

Nice example, however I used one from php.net that patched GET,POST,COOKIE arrays.