Posted by Hilarion on 10/10/24 11:24

Mark <Scollop027@gmx.net> wrote:
> when reading an environment variable (with $HTTP_GET_VARS[ ) which contains
> quotes ('," ) they will be escaped (by backslash. How I can avoid this or is
> there any unescape function?


This feature is called "magic quotes". The one which is bothering you
is probably "magic_quotes_gpc" which causes escaping of all values passed by GET,
POST or COOKIE. This one can't be turned off at runtime (you can turn it off globaly
in PHP config files or localy in .htaccess file).
There's also "magic_quotes_sybase" which also works on GET, POST and COOKIE
(and overrides magic_quotes_gpc when turned on) but uses different style
of escaping.
And finally there's "magic_quotes_runtime" which makes many function returning
data from outside (like databases) escape quotes with backslashes. This one
CAN be turned off at runtime (by "set_magic_quotes_runtime" function).

You can strip slashes added by "magic_quotes_gpc" or "magic_quotes_runtime"
using "stripslashes" function (as Stefan allready wrote), but remember that
you should check if "magic_quotes_gpc" and / or "magic_quotes_runtime"
is on before using this function (if you plan to move your script to
different servers or to change global settings for magic quotes) cause
it does not see any difference between slashes added by magic quotes
and slashes which were put in the text by user or script.

Personally I suggest turning off magic quotes and use proper escaping
functions when using external data in SQL or other sensitive places.
Magic quotes make scripts safer (if you are using MySQL) but not
entirely safe (you still have to use escaping in certain cases)
and force you to use cleaning functions in many places in code, making
it less readable.


Hilarion

[Back to original message]