Why php escapes characters in POST and GET? 
June 26th, 2009, 08:07 AM
|  | Familiar Sight | | Join Date: Sep 2008 Location: Athens, Greece
Posts: 181
| | |
I was wondering why PHP escapes the single quotes in a GET or POST variable? is it just for display purposes or the single quot can mess up other things too? And it escapes just the single quote or also and other characters?
|
June 26th, 2009, 09:47 AM
|  | Moderator | | Join Date: Jun 2007 Location: York, England, with wolves.
Posts: 4,862
Provided Answers: 9 | | | re: Why php escapes characters in POST and GET?
Quote:
Originally Posted by mikek12004  I was wondering why PHP escapes the single quotes in a GET or POST variable? is it just for display purposes or the single quot can mess up other things too? And it escapes just the single quote or also and other characters? | You have magic quotes enabled. The idea behind it was to sanitize any input through GET, POST, etc., so that it would be safe to insert into a database. However, it was a stupid idea because not all of request data is going to be used in databases.
Notice the deprecation warning.
- mark.
|
June 26th, 2009, 11:38 AM
| | Familiar Sight | | Join Date: Sep 2008 Location: Athens, Greece
Posts: 181
| | | re: Why php escapes characters in POST and GET?
So you would suggest stripslashes right after the post use it wherever I want and mysql_real_escape_string for those data intended for the database?
|
June 26th, 2009, 01:10 PM
|  | Moderator | | Join Date: Aug 2008 Location: Leipzig, Germany
Posts: 3,487
Provided Answers: 9 | | | re: Why php escapes characters in POST and GET?
it is probably better to disable magic quotes. this can be done in 2 ways, disable it permanently by changing the value of magic_quotes_gpc to Off or 0 in the php.ini or disable it temporarly by using ini_set() |
June 26th, 2009, 01:17 PM
| | Familiar Sight | | Join Date: Sep 2008 Location: Athens, Greece
Posts: 181
| | | re: Why php escapes characters in POST and GET?
well I use stripslashes without first checking magic_quotes you believe it would be a problem if I used stripslashes on a string that hasn't been escaped?
And to temporary disable it I do it in the page with the form or in the target page or in both?
|
June 26th, 2009, 01:31 PM
| | Moderator | | Join Date: Aug 2008 Location: Leipzig, Germany
Posts: 3,487
Provided Answers: 9 | | | re: Why php escapes characters in POST and GET?
Quote:
Originally Posted by mikek12004 And to temporary disable it I do it in the page with the form or in the target page or in both? | it doesn't matter where it is done, but the new setting will only be available after the call (and be valid until the script finishes). So it is best to do it as early as possible (I guess this would be the target page).
|  |
| | |  /bytes/about
We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights.
Get the best answers to your questions from over 225,689 network members.
|
