I'm inputting some fields into a database. One had a value of
foto's
and when I checked in the $_POST[] where that was contained it had
foto\'s
does this happen automatically? I have (not yet) any escaping in my script.
Update: So it's the magic quotes that is doing it. The php.ini-file looked like this:
; Magic quotes
;
So I changed it to:
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
But in phpinfo this is still on:
magic_quotes_gpc On On
This is probably magic quotes in action. Disable them immediately and then follow the usual best practices to properly escape user-supplied input depending on what you are going to do with it.
Trun magic quotes off.
Click Here to see how to turn it off.
Always turn off magic code as has portability issue.
Below php code will be useful for you and this code will work even if the magic quote is on ( below php version 6):
function escape($string) {
if (version_compare(phpversion(), '6', '<')) {
if (get_magic_quotes_gpc())
$string = stripcslashes($string);
}
if (!is_numeric($string))
$string = addslashes($string);
return $string;
}
Usage:
$sql = "INSERT INTO employee(id, name) VALUES(1001, '".escape($_POST['name'])."')";
Hope this helps.