where do the backslashes (\) come from?

"Robert Stearns" <rs**********@charter.net> wrote in message
news:10*************@corp.supernews.com...

Whenever I enter an apostrophe (') into a text box I receive \'. The
same behavior obtains with both get and post. Is there a php setting
which causes this (to me, at least) bizarre behavior? Or one to shut it off?

Set the magic_quotes_gpc directive in php.ini to Off. Or if you don't have
access to php.ini, check out the get_magic_quotes_gpc() function
(http://us2.php.net/get-magic-quotes-gpc).

- JP

I noticed that Message-ID: <10*************@corp.supernews.com> from
Robert Stearns contained the following:

Whenever I enter an apostrophe (') into a text box I receive \'. The
same behavior obtains with both get and post. Is there a php setting
which causes this (to me, at least) bizarre behavior? Or one to shut it off?

It's not bizarre. Apostrophes need to be escaped to prevent them being
seen as part of the script. If you were to turn magic quotes off, you'd
still have to use addslashes() to put them in.

Use stripslashes() to remove them.

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

In article <mTFMc.164394$JR4.23280@attbi_s54>,
"kingofkolt" <je**********@comcast.net> writes:

"Robert Stearns" <rs**********@charter.net> wrote in message
news:10*************@corp.supernews.com...

Whenever I enter an apostrophe (') into a text box I receive \'. The
same behavior obtains with both get and post. Is there a php setting
which causes this (to me, at least) bizarre behavior? Or one to shut it

off?

Set the magic_quotes_gpc directive in php.ini to Off. Or if you don't have
access to php.ini, check out the get_magic_quotes_gpc() function
(http://us2.php.net/get-magic-quotes-gpc).

I'm no PHP "guru," but this strikes me as... questionable advice.
Wouldn't it be safer, and more secure, to use stripslashes() where
you know you don't want them?

--
Jim Seymour | PGP Public Key available at:
WARNING: The "From:" address | http://www.uk.pgp.net/pgpnet/pks-commands.html
is a spam trap. DON'T USE IT! |
Use: js******@LinxNet.com | http://jimsun.LinxNet.com

On Sun, 25 Jul 2004 16:06:41 -0000
js******@LinxNet.com (Jim Seymour) wrote:

In article <mTFMc.164394$JR4.23280@attbi_s54>,
"kingofkolt" <je**********@comcast.net> writes:

"Robert Stearns" <rs**********@charter.net> wrote in message
news:10*************@corp.supernews.com...

Whenever I enter an apostrophe (') into a text box I receive \'.

The> same behavior obtains with both get and post. Is there a php
setting> which causes this (to me, at least) bizarre behavior? Or one
to shut it
off?

Set the magic_quotes_gpc directive in php.ini to Off. Or if you
don't have access to php.ini, check out the get_magic_quotes_gpc()
function(http://us2.php.net/get-magic-quotes-gpc).

I'm no PHP "guru," but this strikes me as... questionable advice.
Wouldn't it be safer, and more secure, to use stripslashes() where
you know you don't want them?

Yeah... That would probably be the safest way to deal with it...
--
Anders K. Madsen --- http://lillesvin.linux.dk

"There are 10 types of people in the world.
Those who understand binary - and those who don't."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBA9/flNHJe/JASHcRAu+rAJ9rI7dqOBT1iTBS4NEQarrTPc4lUwCbBMns
SKq+wuLLxfVqb92iza2N7S4=
=LdRr
-----END PGP SIGNATURE-----

"Jim Seymour" <js******@LinxNet.com> wrote in message
news:10*************@corp.supernews.com...

In article <mTFMc.164394$JR4.23280@attbi_s54>,
"kingofkolt" <je**********@comcast.net> writes:

"Robert Stearns" <rs**********@charter.net> wrote in message
news:10*************@corp.supernews.com...

Whenever I enter an apostrophe (') into a text box I receive \'. The
same behavior obtains with both get and post. Is there a php setting
which causes this (to me, at least) bizarre behavior? Or one to shut it off?

Set the magic_quotes_gpc directive in php.ini to Off. Or if you don't have access to php.ini, check out the get_magic_quotes_gpc() function
(http://us2.php.net/get-magic-quotes-gpc).

I'm no PHP "guru," but this strikes me as... questionable advice.
Wouldn't it be safer, and more secure, to use stripslashes() where
you know you don't want them?

--
Jim Seymour | PGP Public Key available at:
WARNING: The "From:" address |

http://www.uk.pgp.net/pgpnet/pks-commands.html is a spam trap. DON'T USE IT! |
Use: js******@LinxNet.com | http://jimsun.LinxNet.com

Well, I guess I was supposing that Robert's situation was this: a user
enters text into a textbox and submits it and the text is entered into a
database. In that case, probably the best way to deal with the "magic
quotes" is to use something like this:

if (!get_magic_quotes_gpc()) {
$data=addslashes($_POST['data']);
}

as in the example at PHP.net. I suppose the best solution depends on how
Robert wants to use the text immediately...

- JP

In article <25SMc.161854$IQ4.137836@attbi_s02>,
"kingofkolt" <je**********@comcast.net> writes:
[snip]

Well, I guess I was supposing that Robert's situation was this: a user
enters text into a textbox and submits it and the text is entered into a
database. In that case, probably the best way to deal with the "magic
quotes" is to use something like this:

if (!get_magic_quotes_gpc()) {
$data=addslashes($_POST['data']);
}

as in the example at PHP.net. I suppose the best solution depends on how
Robert wants to use the text immediately...

I won't argue with that. In fact: Unless he has direct control over
the server, the above would be a very good idea.

My point was that, if he *does* have control over the server, it's
safer to leave magic_quotes_gpc on, and use stripslashes() on the
variables in which he knows he doesn't want the escapes. He's less
likely to have a security problem if he fails to run stripslashes()
when he meant to than he would failing to run addslashes() when he
needs to.

Then again: I'm one of those dinosaurs that believes in application-
layer proxy firewalls and "That which isn't explicitly allowed, is
denied" policy ;).

--
Jim Seymour | PGP Public Key available at:
WARNING: The "From:" address | http://www.uk.pgp.net/pgpnet/pks-commands.html
is a spam trap. DON'T USE IT! |
Use: js******@LinxNet.com | http://jimsun.LinxNet.com

Jim Seymour wrote:

In article <25SMc.161854$IQ4.137836@attbi_s02>,
"kingofkolt" <je**********@comcast.net> writes:
[snip]

Well, I guess I was supposing that Robert's situation was this: a user
enters text into a textbox and submits it and the text is entered into a
database. In that case, probably the best way to deal with the "magic
quotes" is to use something like this:

if (!get_magic_quotes_gpc()) {
$data=addslashes($_POST['data']);
}

as in the example at PHP.net. I suppose the best solution depends on how
Robert wants to use the text immediately...

I won't argue with that. In fact: Unless he has direct control over
the server, the above would be a very good idea.

My point was that, if he *does* have control over the server, it's
safer to leave magic_quotes_gpc on, and use stripslashes() on the
variables in which he knows he doesn't want the escapes. He's less
likely to have a security problem if he fails to run stripslashes()
when he meant to than he would failing to run addslashes() when he
needs to.

Then again: I'm one of those dinosaurs that believes in application-
layer proxy firewalls and "That which isn't explicitly allowed, is
denied" policy ;).

Thanks everyone for your input on this question. In my case, input
strings are either put into the database or compared to strings already
there. My DBMS's ( DB2 ) way of quoting apostrophes is to double them,
which I am doing on variables of type character and varchar. I never
execute strings directly from the client, thus the risk is minimal, so
I'm going with magic_quotes_gpc off.