Quotes, Slashes, etc.

Connie_Goss

I'm having a little confusion about how to intercept special characters in form variables. My server is running php 5.2. Magic_quotes is on. If user enters last name O'Hara, the data truncates after the single quote when passed to the next script as a post variable.

So I use strip_slashes when I receive the post variable, and that works, the variable displays correctly. But then, if I have to send that data on to script #3, O'Hara truncates at the single quote, leaving just the O.

So I tried applying add slashes when I receive it in script #3, and it converts to O[/B]

What am I doing wrong? Should I be using preg_quote() to escape special characters instead? If so, how do I convert it back so I can send it on to another page?

laserlight

Connie Goss wrote:
Magic_quotes is on. (...) So I use strip_slashes when I receive the post variable, and that works, the variable displays correctly.

This is correct, however, instead of using stripslashes directly, it would be better to define a function that conditionally applies stripslashes if get_magic_quotes_gpc() returns 1. This way, when magic_quotes is rightly turned off, your code would still be correct.

Connie Goss wrote:
But then, if I have to send that data on to script #3

How exactly are you doing this? For example, if you are sending it as the value of a hidden form field, [man]htmlspecialchars/man would be the correct escaping method.

I suggest reading the PHP manual on PHP and HTML.