# Fixed (interesting) Corruption of HTML form values.

This topic is 3839 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

## Recommended Posts

Original post:
Quote:
Hello. I've been testing some basic PHP with this form:
Quote:

When I submit the form, $_POST['key1'] is value \"1\" and$_POST['key2'] is v&amp;l>u<e2. The &quot; has been read by the browser as a literal " which is fine, sensible, and expected. What is NOT fine is that the " has become an escaped \" in the _POST variable. It is part of the HTML standard that &amp; becomes & and &quot; becomes ", but AFAIK nothing says that PHP should start interpreting escape characters in the literal strings which arrive as its input. Apparently I'm wrong (unless the browser is doing it). I can start searching-for and replacing \" with " but then I have to worry about occurances of \\ or other escape characters, so is there a function that will do it all reliably? Also, given that the browser is reading the value of key1 as value "1", what is responsible for the transformation to value \"1\" ?
It turns out this is an ineffective security measure intended to defeat injection attacks, it doesn't change the need to use mysql_real_escape_string or some corresponding function. It's called "magic quotes" and can be fixed by setting magic_quotes_gpc=Off in php.ini and restarting apache (there might be a .htaccess way to do this if you don't have access to php.ini) [Edited by - spraff on July 16, 2007 6:12:55 PM]