Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > php > answers

Why php escapes characters in POST and GET?

mikek12004's Avatar
Familiar Sight
  
Join Date: Sep 2008
Location: Athens, Greece
Posts: 188
#1: Jun 26 '09
I was wondering why PHP escapes the single quotes in a GET or POST variable? is it just for display purposes or the single quot can mess up other things too? And it escapes just the single quote or also and other characters?

Markus's Avatar
Moderator
  
Join Date: Jun 2007
Location: York, England, with wolves.
Posts: 4,947
#2: Jun 26 '09

re: Why php escapes characters in POST and GET?

Quote:

Originally Posted by mikek12004 View Post

I was wondering why PHP escapes the single quotes in a GET or POST variable? is it just for display purposes or the single quot can mess up other things too? And it escapes just the single quote or also and other characters?

You have magic quotes enabled. The idea behind it was to sanitize any input through GET, POST, etc., so that it would be safe to insert into a database. However, it was a stupid idea because not all of request data is going to be used in databases.

Notice the deprecation warning.

- mark.
mikek12004's Avatar
Familiar Sight
  
Join Date: Sep 2008
Location: Athens, Greece
Posts: 188
#3: Jun 26 '09

re: Why php escapes characters in POST and GET?

So you would suggest stripslashes right after the post use it wherever I want and mysql_real_escape_string for those data intended for the database?
Dormilich's Avatar
Moderator
  
Join Date: Aug 2008
Location: Leipzig, Germany
Posts: 3,653
#4: Jun 26 '09

re: Why php escapes characters in POST and GET?

it is probably better to disable magic quotes. this can be done in 2 ways, disable it permanently by changing the value of magic_quotes_gpc to Off or 0 in the php.ini or disable it temporarly by using ini_set()
mikek12004's Avatar
Familiar Sight
  
Join Date: Sep 2008
Location: Athens, Greece
Posts: 188
#5: Jun 26 '09

re: Why php escapes characters in POST and GET?

well I use stripslashes without first checking magic_quotes you believe it would be a problem if I used stripslashes on a string that hasn't been escaped?
And to temporary disable it I do it in the page with the form or in the target page or in both?
Dormilich's Avatar
Moderator
  
Join Date: Aug 2008
Location: Leipzig, Germany
Posts: 3,653
#6: Jun 26 '09

re: Why php escapes characters in POST and GET?

Quote:

Originally Posted by mikek12004 View Post

And to temporary disable it I do it in the page with the form or in the target page or in both?

it doesn't matter where it is done, but the new setting will only be available after the call (and be valid until the script finishes). So it is best to do it as early as possible (I guess this would be the target page).
Reply

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,467 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved