Amit Khanna Amit Khanna - 3 months ago 16
PHP Question

php stop quote escape

I have a small php code that prints welcome message

<?php
echo "Hello ". $_GET['name'];
?>


I've put this code on my website hosted on Godaddy's server and I found that the server is escaping the single and double quotes. For example

http://www.example.com/test.php?name=test's


prints

Hello test\'s


but the same code runs fine on apache server on my PC. How can this be fixed?

Answer

Put the next code in a .htaccess file to inform PHP that magic quotes shouldn't be added to GET, POST and Cookie variables.

php_flag magic_quotes_gpc Off

If your webhost does not allow you to change your settings, your need to remove these quotes yourself using the stripslashes function. Since the $_GET / $_POST / $_COOKIE array may contain other arrays (by using field names like name[full]=John Smit), you need a recursive function to strip the slashes. For example, use the snippet from this comment to remove all "magic quotes" from the input:

<?php
if (get_magic_quotes_gpc()) {
    $strip_slashes_deep = function ($value) use (&$strip_slashes_deep) {
        return is_array($value) ? array_map($strip_slashes_deep, $value) : stripslashes($value);
    };
    $_GET = array_map($strip_slashes_deep, $_GET);
    $_POST = array_map($strip_slashes_deep, $_POST);
    $_COOKIE = array_map($strip_slashes_deep, $_COOKIE);
}
?>

Note that your code snippet is vulnerable to XSS, so use proper escaping:

<?php
echo "Hello " . htmlspecialchars($_GET['name']);
?>

Another recommended way to retrieve such input values are the filter_* functions. Example which is the equivalent of the above snippet, but works regardless of the magic_quotes_gpc setting:

<?php
echo filter_input(INPUT_GET, 'name', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
?>

Related documentation:

Comments