quotes getting escaped -- how to stop

Anon

All of my forms are validated in such a way that if they fail validation, the form fields get their values back, so the user doesn't have to redo all the fields.

My problem is, that if a user enters a single or double quote, and the form fails validation, the quote comes back escaped... in the form \'

Anyone know if there is a way to avoid this? The idea of removeslashes() on each variable that comes in on all my forms is not an appealing one.

Anon

stripslashes() it is. The reason you're getting this behavior is that magic quotes are turned on. You can turn them off, though right at the moment the details escape me; see the manual. But if the idea of removing the slashes from each and every variable on your form doesn't appeal to you, would having to call addslashes() on them all before you insert records to the database be any better? What? You say you aren't using a database in the first place? Then by all means turn magic quotes off.

Anon

Ouch.. those are my only options eh.... well so be it. At least now I understand the motivation here...

Don't suppose anyone knows of a small little loop I can include at the top of my file that will strip slashes on every variable coming in?

-Brian

Anon

while (list($key,$val) = each ($HTTP_POST_VARS)) {
$val = stripslashes($val);
}
reset($HTTP-POST_VARS);
extract($HTTP_POST_VARS);

Anon

Could you serialize it, stripslashes, then unserialize it? Would that be easier?

$string = serialize($HTTP_POST_VARS);
$string = stripslashes($string);
unserialize($HTTP_POST_VARS);
extract($HTTP_POST_VARS);

---John Holmes...

Anon

As Kirk says, you can turn the magic quotes off....find your php.ini file (under windows OS, you'll find this in the Windows folder). Open your php.ini in a text editor and use the search (find) facility in the editor to find these "magic" words: magic_quotes_gpc. The default value for magic_quote_gpc=On....delete the "On" and type "Off" and save the php.ini file. The magic quotes are gone and so is your problem. However, as Kirk mentioned, if you are entering the values from the form into a database, you'll need to use the addslashes function before the variables can be executed by the query.

Anon

John, most certianly would be, thanks for the snippet!

Anon

Doesn't work for me. Says its the wrong data type to extract... any ideas?

I have tried all sorts of different combinations here, and I am having 0 luck. Anyone tried this code and got it to work? Help would be great.

Anon

Dear Brian,
I had a problem recently which I think is fairly similar to yours. I'm not an experienced programmer so my solutions tend to be fairly straighforward. I'm not quite sure if this helps you but here goes:
First, let me explain the problem I had...I have a web form which contained the following input box:
<P>Length: <input type=text name=length></P>
Now, the problem was with people inputting their measurements in feet and inches e.g. 3'5"
With the magic_quote_gpc set to ON (the default value), the values of $length would be passed on to my PHP script as 3\'5\".....which I thought was a little unsightly. But the dilemma was that I need those escape backslashes for my query to work (the value of $length was to be finally entered into a database). So what I did was to turn magic_quote_gpc OFF. The value of $length was therefore passed to the PHP script as 3'5" (without the backslashes) but I still needed the backslash for the final phase when the value of $length is submitted to the database query. So, just before the query is executed, I added the following line:
$length=addslashes($length).
I didn't bother with any sort of loops cos as I said I'm just not that good!! It seems to have worked well for me. Hope this helps.
Allen.
P.S. as I mentioned in my previous email, magic_quote_gpc is in the php.ini file.

Anon

The problem for me is that I realized this small problem only shows itself in the situation where someone has used single or double quotes in a description or title of a product on my page, and they fail validation. It hardly even happens, but the problem spans many, many different scripts on my site. They all use a common function library that gets included before anything else, so using a loop to strip slashes works fine. Or so I though until you made me realize something... damno. Now its not working again.

Well, I'll know to watch for this in future, and I'll slowly overhaul my scripts. Yech.

Anon

John, just a heads up, once you serialize it it adds double quotes around each value so when you addslashes it adds to those to the double quotes as well. So when you try and unserialize it it doesn't work and leaves a string that can't be extracted. I did find that this way works just as well

while(list($key,$val) = each ($HTTP_POST_VARS)) {
$newarray[$key] = addslashes($val);
}

extract($newarray);

Anon

That almost works Louie, except when you are passing an array from form to PHP. If you have an array in the form of a collection of checkboxes, then your technique will not work. If have to put a check in the middle of it that checks is the var is an array, and loops through the array if it is.

Quite messy.

Anon

What are the chances you will need to addslashes to a checkbox array?
Since you control the value of a checkbox then you can simply keep quotes out of them, the whole point fo addslashes() is to make sure that you can take care of quotes put in my a user typing into a textfield or textarea.

Anon

You kindof missed my point 😛

That loop you have their will lose the array.

It will no longer exist after your loop.

Thats the problem.

Cheers!

Brian

Anon

That doesn't seem right to me a created an array a mixture of strings and other arrays. After I looped through them and added slashes the aub arrays were still there.