Jump to content
  • Advertisement
Sign in to follow this  
AcidZombie24

[web] unescape, post and php

This topic is 3585 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

In my C app i am using libcurl to send POST data to my php file I printed my post data to a file, pasted it in http://www.linkedresources.com/tools/unescaper_v0.2b1.html and used unescape on the sql data and my sql code came out perfectly. In php, i get the post and it comes out with a \ in front of ' and only in front of ' and i dont understand why. The unescaped data looked good and nothing else in the sql code had \ in front of it. For an example, the date is "%20%272008%2D06%2D29%27%2C%20" which should become " '2008-06-29', " but i get " \'2008-06-29\', " to print the sql in php i use echo "Error: Sql is " . $sql . " error was " . mysql_error() . " br>\n"; can anyone tell me why this is happening?

Share this post


Link to post
Share on other sites
Advertisement
PHP is adding slashes to your POSTed data as a simple security precaution. The setting is known as magic_quotes_gpc and is enabled by default in versions before PHP 6.0.0.

http://us.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc

Essentially, what it does is calls addslashes on any data you submit via a form to your PHP script.

You are actually best off not using this feature and instead using mysql_real_escape_string to ensure your data is properly sanitized when using a mysql database (which I assume you are, as you're echoing out mysql_error) like this:

$formdata = ( get_magic_quotes_gpc() ) ? stripslashes($_POST['name']) : $_POST['name'];

$formdata = mysql_real_escape_string($formdata);




This will add the slashes to the quotes along with adjusting any other data to be properly formatted to prevent SQL injection. Since you're serializing your data anyway, you probably do not need to call mysql_real_escape_string and you won't have your quotes with slashes added, but you should be aware of this (if you weren't already) to prevent SQL injection which can give anybody pretty much full control to insert data to your database, get data out of it, delete it all entirely or anything else you can do with your SQL queries.

[Edited by - CaspianB on July 30, 2008 2:34:36 PM]

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!