Find the answer to your question
Advanced Search
Published: September 27 2007, 3:36:00 PMUpdated: August 08 2022, 12:09:01 AM
Product
By default, PHP 4.x and 5.x will attempt to "sanitize" user input by escaping characters such as single quote, double quote, and backslash. This was done in an attempt to prevent SQL injection and similar attacks. However, this can cause unexpected results in many cases.
Detailed Description
The escaping of characters is appropriate in certain contexts. Inserting into a database where a single quote is a string delimiter is a case where escaping single quotes is appropriate. However, in XML such escaping may not be appropriate. PHP initially gained popularity as an easy way to connect web servers to databases, and such automatic quoting may have been appropriate. However, as PHP is now used in more contexts, such escaping by default is not appropriate. Thus, PHP 6 will not do such escaping by default.Here is an example of inappropriate escaping (inappropriate use of "magic_quotes").
Suppose you have an HTML form which provides data to the AddItem call. Your PHP code to pull in the item description for the listing may look like this :
$itemDescription = $_POST['itemDescription'];In this case, by default, PHP 4.x and PHP 5.x will apply the "magic_quotes" escaping function to variables in the $_POST array. Thus, if the item description entered was :
Don't do this!
Then your item description after the item is listed will look like this :
Don\'t do this!
In the php.ini file, you'll see the following by default :
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
Set magic_quotes_gpc Off to prevent automatic escaping for your whole PHP installation. Note that turning off automatic escaping for your whole installation may lead to unexpected behavior and possibly open security holes, so this is not recommended.
You can also turn off magic quotes on a per-directory basis. This may be the best compromise between convenience and moderation of impact. To do this, add the following to your .htaccess file :
php_flag magic_quotes_gpc off
ini_set('magic_quotes_gpc', false);
Additional resources
Magic quotes discussion on tizag.comPHP.net - stripslashes
PHP.net - ini_set