Jump to content
  • Advertisement
Sign in to follow this  

Fixed (interesting) Corruption of HTML form values.

This topic is 4167 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Original post:
Hello. I've been testing some basic PHP with this form:
<input type="hidden" name="key1" value="value &quot;1&quot;" /> <input type="hidden" name="key2" value="v&amp;amp;l>u<e2" />
When I submit the form, $_POST['key1'] is value \"1\" and $_POST['key2'] is v&amp;l>u<e2. The &quot; has been read by the browser as a literal " which is fine, sensible, and expected. What is NOT fine is that the " has become an escaped \" in the _POST variable. It is part of the HTML standard that &amp; becomes & and &quot; becomes ", but AFAIK nothing says that PHP should start interpreting escape characters in the literal strings which arrive as its input. Apparently I'm wrong (unless the browser is doing it). I can start searching-for and replacing \" with " but then I have to worry about occurances of \\ or other escape characters, so is there a function that will do it all reliably? Also, given that the browser is reading the value of key1 as value "1", what is responsible for the transformation to value \"1\" ?
It turns out this is an ineffective security measure intended to defeat injection attacks, it doesn't change the need to use mysql_real_escape_string or some corresponding function. It's called "magic quotes" and can be fixed by setting magic_quotes_gpc=Off in php.ini and restarting apache (there might be a .htaccess way to do this if you don't have access to php.ini) [Edited by - spraff on July 16, 2007 6:12:55 PM]

Share this post

Link to post
Share on other sites
Sign in to follow this  

  • Advertisement

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!