%27 and ' - urlencode

elyob said the following on 09/09/2005 11:21:

Quite a lot of my data has apostrophes in. I'm passing the data using $_POST
and urlencode. So, for example, Joe's becomes Joe%27s.

On the next page, I urldecode and display the name in the META title. It
comes out as Joe\'s.

When I pass it once again, it becomes Joe\\\'s.

What am I doing wrong here?

http://www.php.net/manual/security.magicquotes.php

If you can, disable this feature, cos it's really annoying, as you've
just found out!
--
Oli

"Oli Filth" <ca***@olifilth.co.uk> wrote in message
news:Et************@newsfe7-win.ntli.net...

elyob said the following on 09/09/2005 11:21:

Quite a lot of my data has apostrophes in. I'm passing the data using
$_POST and urlencode. So, for example, Joe's becomes Joe%27s.

On the next page, I urldecode and display the name in the META title. It
comes out as Joe\'s.

When I pass it once again, it becomes Joe\\\'s.

What am I doing wrong here?

http://www.php.net/manual/security.magicquotes.php

If you can, disable this feature, cos it's really annoying, as you've just
found out!

Great stuff. Thanks for that, the default php.ini had this. It's now gone. I
seem to remember one of the main PHP developers writing that magic quotes is
stupid and should be dropped.

I noticed that Message-ID: <43********@news1.homechoice.co.uk> from
elyob contained the following:

Great stuff. Thanks for that, the default php.ini had this. It's now gone. I
seem to remember one of the main PHP developers writing that magic quotes is
stupid and should be dropped.

You only need to url encode data that is going in a URL (duh...).

And don't forget that your database security is now down to you in this
and all future projects.

(you could have just used stripslashes() )
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Geoff Berrow said the following on 09/09/2005 13:10:

I noticed that Message-ID: <43********@news1.homechoice.co.uk> from
elyob contained the following:

Great stuff. Thanks for that, the default php.ini had this. It's now gone. I
seem to remember one of the main PHP developers writing that magic quotes is
stupid and should be dropped.

You only need to url encode data that is going in a URL (duh...).

And don't forget that your database security is now down to you in this
and all future projects.

Yes, I'll echo that sentiment.

(you could have just used stripslashes() )

IMO, using mysql_real_escape_string() once to put a value into a SELECT
query is far less annoying than having to use stripslashes() all over
the place...

Furthermore, magic quotes don't escape all the necessary characters to
make a string safe for SQL.
--
Oli

Not sure if you necessarily want to urlencode/decode here. All you really
need here is . . .

$data = stripslashes($_POST['field']);
echo $data;


On 9/9/05 6:21 AM, in article 43********@news1.homechoice.co.uk, "elyob"
<ne*********@gmail.com> wrote:

Quite a lot of my data has apostrophes in. I'm passing the data using $_POST
and urlencode. So, for example, Joe's becomes Joe%27s.

On the next page, I urldecode and display the name in the META title. It
comes out as Joe\'s.

When I pass it once again, it becomes Joe\\\'s.

What am I doing wrong here?

Thanks