Jump to content
  • Advertisement
Sign in to follow this  
AcidZombie24

[web] unescape, post and php

This topic is 3671 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

In my C app i am using libcurl to send POST data to my php file I printed my post data to a file, pasted it in http://www.linkedresources.com/tools/unescaper_v0.2b1.html and used unescape on the sql data and my sql code came out perfectly. In php, i get the post and it comes out with a \ in front of ' and only in front of ' and i dont understand why. The unescaped data looked good and nothing else in the sql code had \ in front of it. For an example, the date is "%20%272008%2D06%2D29%27%2C%20" which should become " '2008-06-29', " but i get " \'2008-06-29\', " to print the sql in php i use echo "Error: Sql is " . $sql . " error was " . mysql_error() . " br>\n"; can anyone tell me why this is happening?

Share this post


Link to post
Share on other sites
Advertisement
PHP is adding slashes to your POSTed data as a simple security precaution. The setting is known as magic_quotes_gpc and is enabled by default in versions before PHP 6.0.0.

http://us.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc

Essentially, what it does is calls addslashes on any data you submit via a form to your PHP script.

You are actually best off not using this feature and instead using mysql_real_escape_string to ensure your data is properly sanitized when using a mysql database (which I assume you are, as you're echoing out mysql_error) like this:

$formdata = ( get_magic_quotes_gpc() ) ? stripslashes($_POST['name']) : $_POST['name'];

$formdata = mysql_real_escape_string($formdata);




This will add the slashes to the quotes along with adjusting any other data to be properly formatted to prevent SQL injection. Since you're serializing your data anyway, you probably do not need to call mysql_real_escape_string and you won't have your quotes with slashes added, but you should be aware of this (if you weren't already) to prevent SQL injection which can give anybody pretty much full control to insert data to your database, get data out of it, delete it all entirely or anything else you can do with your SQL queries.

[Edited by - CaspianB on July 30, 2008 2:34:36 PM]

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!