This code seems to be unsafe:
<form method='post'>
<input type='text' name='x' style='width:1000px'>
<input type='submit' value='Send'>
</form>
<?php
if(isset($_POST['x']))
{
require_once("db_connect.php");
$q = mysqli_query($dbc, "SELECT x FROM table where x = '". $_POST['x'] ."'");
while($r = mysqli_fetch_assoc($q))
echo $r['x'];
}
but when I sent malicious input, it did not work. So I made similar script:
<form method='post'>
<input type='text' name='x' style='width:1000px'>
<input type='submit' value='Send'>
</form>
<?php
if(isset($_POST['x']))
echo $_POST['x'];
and when I sent ' (apostrophe), I recieved \' . So it became automatically escaped. My question is, where did it happen? How to send 'clear' apostrophe?
You could have Magic Quotes on. What version of PHP are you running? Magic Quotes were deprecated in 5.3 and removed in 5.4 but they default to ON when present.
Magic Quotes will automatically escape quotes, but you really shouldn't rely on it. You should turn it off and use a different escaping method or even better look at using prepared statements.
Run get_magic_quotes_gpc() to see if you have them on. If so, turn them off by making the following changes to the php.ini file:
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off