1

I recently changed servers from Ubuntu to UNIX. On the Ubuntu install of MySQL and PHP, all strings needed to be escaped before inserted into the database, and were read from the database without extra escape characters. However, on the new system, strings that users enter into forms, when untouched, are inserted into the database fine when not escaped. If escaped, extra characters are added. But then I need to add an tag to the user-entered string with a simple .= and the string refused to be entered into the database unless escaped. And the original user-entered part of the string had extra escape characters. Is there any sort of easy solution for this? (PHP 5.2.17, MySQL 5.1, Apache 2.2.19)

Improve this question
6
  • maybe "Prepared Statements" are the better solution for you? Prepared statements don't need to be escaped, this will be done automatically for you. Commented Jul 22, 2012 at 5:20
  • 1
    Can you explain what you mean by "a simple .="? And have you checked your php.ini to see that magic_quotes_gpc is off? Commented Jul 22, 2012 at 5:25
  • A "simple .=" being the variable $post was passed from a form to the php file and I have the command "$post.="<img src='whatever' />";". And magic_quotes_gpc is on, and whether or not I can turn it off is debatable (as the server is not mine, but a "rented" one). Commented Jul 22, 2012 at 5:32
  • 1
    I believe you should check your configuration file. There should be an option to do this automatically without needing to call it explicitly. Let us know what the configuration for, I believe its called real_magic_escape_quotes or something like that, is for you. Commented Jul 22, 2012 at 5:35
  • Andy, I believe you're probably also referring to what Joe5150 was talking about. As for prepared statements, using that technique yielded exactly the same results... Commented Jul 22, 2012 at 5:50

1 Answer 1

Reset to default
0

A description about magic quotes and why it affects your script is here. Basically, this feature affects user input from the browser, but not other strings you create yourself.

Sounds like the relevant setting magic_quotes_gpc was off on your old server, but activated on the new one. I always remove magic quotes depending on the setting during runtime, to have the same setup on all machines, even if I can not control php.ini.

Try putting this in a central include file before any input parameter processing:

// Strip slashes from a string or array recursively
function stripshashesr($text)
{
    if (is_array($text))
    {
        foreach($text as $key => $value) $text[$key]=stripshashesr($value);
        return $text;
    }
    return stripslashes($text);
}

// Strip slashes from GPC
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
    foreach($_GET as $key => $value) $_GET[$key]=stripshashesr($value);
    foreach($_POST as $key => $value) $_POST[$key]=stripshashesr($value);
    foreach($_REQUEST as $key => $value) $_REQUEST[$key]=stripshashesr($value);
    foreach($_COOKIE as $key => $value) $_COOKIE[$key]=stripshashesr($value);
}

This removes magic quotes automatically depending on the setting.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.