Amit Khanna Amit Khanna - 1 year ago 54
PHP Question

php stop quote escape

I have a small php code that prints welcome message

echo "Hello ". $_GET['name'];

I've put this code on my website hosted on Godaddy's server and I found that the server is escaping the single and double quotes. For example's


Hello test\'s

but the same code runs fine on apache server on my PC. How can this be fixed?

Answer Source

Put the next code in a .htaccess file to inform PHP that magic quotes shouldn't be added to GET, POST and Cookie variables.

php_flag magic_quotes_gpc Off

If your webhost does not allow you to change your settings, your need to remove these quotes yourself using the stripslashes function. Since the $_GET / $_POST / $_COOKIE array may contain other arrays (by using field names like name[full]=John Smit), you need a recursive function to strip the slashes. For example, use the snippet from this comment to remove all "magic quotes" from the input:

if (get_magic_quotes_gpc()) {
    $strip_slashes_deep = function ($value) use (&$strip_slashes_deep) {
        return is_array($value) ? array_map($strip_slashes_deep, $value) : stripslashes($value);
    $_GET = array_map($strip_slashes_deep, $_GET);
    $_POST = array_map($strip_slashes_deep, $_POST);
    $_COOKIE = array_map($strip_slashes_deep, $_COOKIE);

Note that your code snippet is vulnerable to XSS, so use proper escaping:

echo "Hello " . htmlspecialchars($_GET['name']);

Another recommended way to retrieve such input values are the filter_* functions. Example which is the equivalent of the above snippet, but works regardless of the magic_quotes_gpc setting:


Related documentation: