Avoiding \ before ' or &quot;

Avoiding \ before ' or "

JabsBlog

On this page I have info that is submitted to a DB and it also ouputs information to a file.

When I view the file that was created... The section where it states You are replying to $name... will display a \ before the ' or "

I have tryed to use the stripslashes and that works for the information that is pulled from the Database. However the var that I am calling is not from the Database ... it is from the previous form, and does not seem to be working in the file that was created.

I am not sure what to put in my file that is created .. so when I display $name it will not have a \ before the quotes.

<?
include("../db.php");

$url = $_POST['url'];
$name = $_POST['name'];
$reason = $_POST['reason'];
$blog_id = $_POST['blog_id'];
$childpage = "$blog_id.php";
$handle = fopen("../../articles/$childpage", 'x+');
$htmlpage = "<html>
<head>
<title>BlogLink :: Democratic Blogging</title>
<link rel=\"stylesheet\" type=\"text/css\" href=\"../../styles/index.css\" />
<script language=\"JavaScript\" type=\"text/javascript\">
<!--
function submit ( selectedtype )
{
  document.childsubmit.child_id.value = selectedtype ;
  document.childsubmit.submit() ;
}
-->
</script>
</head>
<body>
<?php 
include("../db.php\");

mysql_connect(localhost,\$username,\$password);
@mysql_select_db(\$database) or die( \"Unable to select database\");
\$query = \"SELECT * FROM child_post WHERE child_id=$blog_id ORDER by id DESC\";
\$result = mysql_query(\$query);
\$num = mysql_numrows(\$result);

mysql_close();
?><div id=\"wrapper\">
<div id=\"ad\">
<a href=\"../index.php\"><img src=\"../../images/header.jpg\" alt=\"BlogLink\" border=\"0\"/></a>
<br /><img src=\"../images/addemo.jpg\"/></div>
<div id=\"addto\">
<ul id=\"navlist1\">
<li>Get the feed:</li>
<li id=\"active1\"><a href=\"http://feeds.my.aol.com/add.jsp?url=http%3A//www.bloglink.com/rss.xml\" id=\"current1\">MyAOL</a></li>
<li><a href=\"http://fusion.google.com/add?feedurl=http://www.bloglink.com/rss.xml\">Google</a></li>
<li><a href=\"http://add.my.yahoo.com/rss?url=http://www.bloglink.com/rss.xml\">Yahoo</a></li>
<li><a href=\"http://www.bloglines.com/sub/http://www.bloglink.com/rss.xml\">Bloglines</a></li>
<li><a href=\"http://www.bloglink.com/rss.xml\"><img src=\"images/xml.gif\" alt=\"xml\" border=\"0\" /></a></li>
</ul>
</div>
<div id=\"navcontainer\">
<ul id=\"navlist\">
<li id=\"active\">
<li><a href=\"../index.php\">Home</a></li>
<li><a href=\"../submit.php\">Submit Story</a></li>
<!-- When it's done <li><a href=\"categories.html\">Categories</a></li> -->
<li><a href=\"../faq.html\">FAQ</a></li>
<li><a href=\"../about.html\">About</a></li>
<li><a href=\"../contact.php\">Contact Us</a></li>
</ul>
</div>
<div id=\"content\">

<?php 
$name = stripslashes($name);
$reason = stripslashes($reason);
$i=0;
while ($i < $num) {
$url = mysql_result($result,$i,"url\");
\$name = mysql_result(\$result,\$i,\"name\");
\$reason = mysql_result(\$result,\$i,\"reason\");
?>

<div id=\"parent\"><a href=\"<? echo \$url; ?>\"><? echo \$name; ?></a></div>
<div id=\"snippet\"><?php echo $reason; ?></div>
<a href=\"aim:goim?message=<? echo \$url; ?>\"><img src=\"images/offline.gif\" alt=\"IM this article\" border=\"0\" /></a>
<br /><br />
<?php $i++;
}
?>
<!-- Submit fields -->
<hr />
<strong>You are replying to: $name</strong>
<form action=\"../scripts/childAdd.php\" method=\"post\">
<table border=\"0\" cellpadding=\"5\">
<tr>
<td align=\"right\"><strong>Your Article URL:</strong></td>
<td><input type=\"text\" name=\"url\" size=\"70\" /></td>
</tr>
<tr>
<td align=\"right\"><strong>Your Article Name:</strong></td>
<td><input type=\"text\" name=\"name\" size=\"70\" /></td>
</tr>
<tr>
<td align=\"right\"><strong>Your Summary:</strong></td>
<td><textarea name=\"reason\" rows=\"3\" cols=\"70\"></textarea></td>
</tr>
<tr>
<td></td>
<td align=\"right\"><input type=\"submit\" value=\"Submit Article\" /></td>
</tr>
</table>
<input type=\"hidden\" value=\"$blog_id\" name=\"child_id\" />
</form>
<p class=\"copyright\">Copyright 2006 &copy; BlogLink</p>
</div>
</div>
</body>
</html>";

fwrite ($handle, $htmlpage);
fclose;

mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query = "INSERT INTO approved VALUES ('','$blog_id','$url','$name','$reason')";
mysql_query($query);

mysql_close();
header("Location: ../../index.php");
die;
?>

Bobulous

Is it possible that the form data is being escaped twice? The only way I can think that this might happen is if you were to take the data from the user, then on the next page store that data in hidden fields, then on the next page output them. If I remember correctly, that would escape the data twice if magic_quotes is on.

magic_quotes bugs me, mostly because the web hosts I'm with always have it turned on for backward compatibility.

Houdini

PHP Manual get_magic_quotes_gpc()

The PHP directive magic_quotes_gpc is on by default, and it essentially runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on strings that have already been escaped with magic_quotes_gpc as you'll then do double escaping. The function get_magic_quotes_gpc() may come in handy for checking this.

Example:

<?php
echo get_magic_quotes_gpc();        // 1
echo $_POST['lastname'];            // O\'reilly
echo addslashes($_POST['lastname']); // O\\\'reilly

if (!get_magic_quotes_gpc()) {
   $lastname = addslashes($_POST['lastname']);
} else {
   $lastname = $_POST['lastname'];
}

echo $lastname; // O\'reilly
$sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";
?>