0

I've a html form which handle by Php. When I submit the form it's show a backslashes if i write for example: 5 rue de l'ourq. If a again submit the form because of I wrongly input any other field of the form then it's show 5 rue de l\'ourq and again 5 rue de l\\'ourq. This is happened in address filed.

Php Variable:

$address = $_POST['address'];   
$title = inputvalid($_POST['title']);   
$f_name = inputvalid($_POST['f_name']);

The problem is $address variable. I don't why it's show the backslashes. That's why I didn't put inputvalid function to that variable but can't fix this. Any idea ?

Improve this question
3
  • 4
    Check magic_quotes_gpc option in your php.ini file and set it to Off. My answer is below. Commented Mar 29, 2013 at 13:15
  • Perhaps the addslashes() function, so you need stripslashes() also Commented Mar 29, 2013 at 13:15
  • there probably is an issue in your character escaping prior to database insertion. Using prepared statements would solve the problem. Commented Mar 29, 2013 at 13:15

5 Answers 5

Reset to default
6

Sounds like you have magic_quotes turned on. You need to turn them off in you php settings.

If you can't turn off magic_quotes, I would make the first thing your inputvalid() function does is check to see if magic_quotes are enabled, if they are then stripslashes() on values.

http://php.net/manual/en/security.magicquotes.disabling.php

According to link above you can simulate disabling at runtime by adding the following code, but it is really just doing the same thing as I said above, checking if magic_quotes are on then stripslashes() on input arrays:

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Normally no, but you can do it in .htaccess normally though.
stackoverflow.com/questions/517008/…
I put this code in my form page. ini_set('magic_quotes_gpc', 'off'); But it's again show "5 rue de l\\\'ourq".
Right that is why I said "No" you can't do it on form.php you have to do it in .htaccess or on the php.ini file. Look at the link I posted.
If you are adding it to .htaccess you will need to use a different command, I believe it is php_flag magic_quotes_gpc off
|
0

Put this in your config file:

ini_set('magic_quotes_gpc', 'off');

OR, if this is not allowed on your server, put this in config:

##/ Special Code to stop get_magic_quotes_gpc
function stop_magic_quotes($in)
{
    $out = $in;

    if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
    {
        if(is_array($out))
        {
            foreach($out as $k=>$v)
            {
                $v = stop_magic_quotes($v);
                $out[$k] = $v;
            }
        }
        else
        {
            $out = stripslashes($out);
        }
    }

    return $out;
}//end func................

if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
    $_GET = array_map('stop_magic_quotes', $_GET);
    $_POST = array_map('stop_magic_quotes', $_POST);
}//end if....
Improve this answer

6 Comments

I put this code to my form page. But After submit it it's again show "5 rue de l\'ourq"
ok I have edited and added new code there. just make sure your config file gets included before you get your address, title etc.
did you enter fresh values? like this "5 rue de l'ourq". I think this cant be solved without looking at the code completely.
put var_dump($address); die(); right below $address=$_POST['address']; then see if the backslash is still there.
ok... create a "php.ini" file on the root. and put this line in it: magic_quotes_gpc = Off
|
0

PHP adds backslashes to escape the ' because it would literally mean the opening of a string.

Use stripslashes() to remove them.

Improve this answer

Comments

0

Your inputvalid function is preventing SQL injections which are used to load and modify information from your database. The function escapes ' and " to prevent the injections. Your code should be able to translate those escaped characters back to a human-readable form after loading the information from the database.

Improve this answer

Comments

0

From my comment to this question:

Check magic_quotes_gpc option in your php.ini file and set it to Off. Don't forget to restart the php process. If you don't have a direct access to the php.ini file, try this:

 <?php ini_set('magic_quotes_gpc', 'Off'); ?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.