$_SESSION and Single Quotes...

chidera

Hello,

I've got an issue that's driving me buggy. And, it seems so simple that either I'm doing something wrong or I've got some configuration settings improperly set.

Here's some short (pseudo) code samples:

<?php // THIS SCRIPT HANDLES THE FORM INPUT...

// Session is started...

$message = $_POST['message']; // Message = "Isn't this possible?"

// $message is validated...

$_SESSION['myVariable'] = $message;

// Another page is called because there's some problem with the form input...

<?php // THIS SCRIPT RE-DISPLAYS THE FORM INPUT, ALLOWING USER TO EDIT...

// Session is started...

$message = $_SESSION['myVariable']; // Message SHOULD be = "Isn't this possible?"

echo "Message: {$message}<br />"; // Only displays "Message: <br />"...

Basically, it seems that the apostrophe (or single quote) is causing the problem. It seems to cause the problem whether or not addslashes is performed prior to the assignment to the $_SESSION variable.

I have tried this several times by directly assigning a string value to a $_SESSION variable and then trying to display it in the next "screen". When I assign text that does NOT contain an apostrophe, it works. When I assign text that DOES contain an apostrophe, it does not work.

Am I doing something wrong here? What am I missing?

I'm running PHP 4.3.11 on Apache. I THINK it's around version 1.38, but havne't confirmed this yet. Zend Engine version 1.3 is running. magic_quotes_gpc is ON. :-(

Can anyone help? Let me know if you would like more information.

Thanks,

Travis

Aybabtu

I would try to normalize the input. Before you set the variable $message, have some code that replaces ' with \'

This should allow the code to display the message on the next page. At least I think it will.

Note: The \' may work or it may be the other way around '\

Aybabtu.

chidera

Hi,

Thanks for the quick reply.

I will try to test again just to make sure. But, I am pretty confident that I've tried the following three values:

$SESSION['myVariable'] = "Isn't this possible?"; // Doesn't work...
$_SESSION['myVariable'] = addslashes("Isn't this possible?"); // Doesn't work...
$_SESSION['myVariable'] = "This is possible, is it not?"; // Works...

The results are in the comments at the end of each line above.

I'll try to verify that what I'm writing here is correct. And, I'll post again to let everyone know what I find. However, if anyone has any ideas in the meantime, they're all welcome. :-)

Thanks again,

Travis

chidera

Hello,

Yes, I can confirm that my last post is accurate. When I try anything with an apostrophe/single quote, even when I explicitly call addslashes() before assigning to $_SESSION[], then it doesn't work.

I THINK I can figure out some work-arounds here, but it seems like there must be something else that I'm missing.

Thanks,

Travis

chidera

Hello,

I finally figured it out. Since, among other reasons, I have grand plans for my little application to grow beyond my wildest dreams -- pause to let laughter die down -- I have my session data tied to the database. The read/write methods of the class that I use that reads/writes the session data does NOT take apostrophes into account...!!!

This has been killing me for DAYS. No wonder there's not anything about this anywhere on the Internet.

Well, now I know and can move on.

Travis

toplay

FYI:

You may need to do stripslashes() on input before validating data, and always quote (addslashes) to data before inserting or updating a table or file. More info:

http://www.phpbuilder.com/board/showpost.php?p=10648400&postcount=9

Here's a clean_values function that will determine whether to do stripslashes() on array values like on $GET or $POST before using the values/contents:
http://www.phpbuilder.com/board/showpost.php?p=10650515&postcount=8

hth.