{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 成全新的幸福 的问题《PHP 5.3 automatically escapes $_GET/$_POST from fo》','https://www.manongdao.com/q-128543.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
My server admin recently upgraded to PHP 5.3 and I'm getting a weird "bug" (or feature, as the PHP folks have it). I had mysql_real_escape_string around most of my string form data for obvious safety reasons, but now it seems this escaping is already done by PHP.
<?php
echo $_GET["escaped"];
?>
<form method="get">
<input type="text" name="escaped" />
</form>
This outputs, if I enter for instance escape 'this test', escape \'this test\'. Same goes if I use POST instead of GET.
Is it directly tied to the 5.3 upgrade or could my admin have triggered some automatic switch in the php.ini file?
Also, should I just leave it as is (in the event that it is indeed a good fail proof mechanism that correctly catches all get and post variables), or should I disable it (if that's even possible!) and go back to mysql_real_escape_string? My guts tell me approach 2 would be best, but approach 1 would be somewhat automagical. :)
EDIT: Actually, I need to disable it. Sometimes I gather the form data and resend it to the client form in case something was wrong (i.e. missing field), so I don't want him/her to have slashes appearing out of nowhere.
It sounds like your server has magic quotes turned on - you can take a look at http://www.php.net/manual/en/security.magicquotes.disabling.php for a thorough discussion of ways to disable them.
check http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc option in php.ini
This is due to magic quotes, you should turn it off.
And here is how you turn it off: http://www.php.net/manual/en/security.magicquotes.disabling.php
You do it either via php.ini or by removing slashes from all variables in
$_GETand$_POST, obviously the former is the recommended way to go.As Will Martin suggests you can also change it via a
.htaccesslike this:More info here: http://php.net/manual/en/configuration.changes.php
This "feature" is known as
magic_quotes_gpcand does not protect you from all SQL injection attacks (addslashesis called on every element of the input superglobals such as$_POSTand$_GET. This ignores the actual input/database encoding). It is therefore deprecated and should not be used.The official php manual includes a neat way to undo it in php code, but you should just turn it off.