[CLUE-Tech] PHP escaping characters
Jed S. Baer
thag at frii.com
Fri Mar 1 20:01:59 MST 2002
On Fri, 1 Mar 2002 18:54:19 -0700
Jeffery Cann <fabian at jefferycann.com> wrote:
Fabian,
> Have a look at the magic_quotes_* configuration variable for php. This
> config variable is where you control such things like escaping of
> characters.
> In particular, I think you need to turn on magic_quotes_sybase to stop
> the
> escaping of apostrophes. For details:
>
> http://www.php.net/manual/en/configuration.php
Yep. Or, turn magic_quotes_gpc (get/post/cookie) off. Prollum is what
those folks over at invite.net (who haven't responded to my e-mail yet)
have set.
Looking at the user comments:
http://www.php.net/manual/ro/function.get-magic-quotes-gpc.php
it would seem caution dictates the use of both stripslashes and
htmlspecialchars. Over at phpbuilder, an article advises using
htmlspecialchars anyway, to guard against malicious content in user-input
text.
> The suggested stripslashes() will work too, but why write code when you
> can
> do it with a configuration change? :-p
Cuz I don't control the php.ini on the server. ;-(
I noticed also the suggestion to set php config values in the .htaccess
file, but this doesn't work here at home.
I think I'm gonna rewrite that ugly thing (which I intended to do anyway,
I just whacked it out to get it done - I'd hoped - quickly). Per Steve's
suggestion:
function printform {
?>
// form stuff
<?php code to fiddle with stuff ?>
// more form stuff
<?php
}
Or just write a loop to iterate over the post variables and fix them
before anything else happens.
jed
--
"Those who expect to reap the blessings of freedom must, like men,
undergo the fatigue of supporting it."
- Thomas Paine
More information about the clue-tech
mailing list