PHP 5.3 automatically escapes $_GET/$_POST from form strings?

Asked 10/7, 2011 at 18:9 Answered 10/7, 2011 at 18:12

My server admin recently upgraded to PHP 5.3 and I'm getting a weird "bug" (or feature, as the PHP folks have it). I had mysql_real_escape_string around most of my string form data for obvious safety reasons, but now it seems this escaping is already done by PHP.

<?php

echo $_GET["escaped"];

?>

<form method="get">
    <input type="text" name="escaped" />
</form>

This outputs, if I enter for instance escape 'this test', escape \'this test\'. Same goes if I use POST instead of GET.

Is it directly tied to the 5.3 upgrade or could my admin have triggered some automatic switch in the php.ini file?

Also, should I just leave it as is (in the event that it is indeed a good fail proof mechanism that correctly catches all get and post variables), or should I disable it (if that's even possible!) and go back to mysql_real_escape_string? My guts tell me approach 2 would be best, but approach 1 would be somewhat automagical. :)

EDIT: Actually, I need to disable it. Sometimes I gather the form data and resend it to the client form in case something was wrong (i.e. missing field), so I don't want him/her to have slashes appearing out of nowhere.

Lading answered 10/7, 2011 at 18:9 Comment(1)

It should also be noted, that if your php.ini file contains a syntax error, the default is to enable magic_quotes_gpc. So if you think you've disabled magic_quotes_gpc in your configuration file, it's possible the file could contain an error preventing your configuration from being applied. Personal experience. :P – Clue 29/4, 2013 at 15:5

This "feature" was known as magic_quotes_gpc (ini setting) (archived from) and did not protect you from all SQL injection attacks (addslashes is called on every element of the input superglobals such as $_POST and $_GET. This ignored the actual input/database encoding). It was therefore deprecated (PHP 5.3, removed in 5.4) and should not be used (archived from).

The official PHP manual included a neat way to undo it in php code (archived from), but you should have just turned it off.

Related PHP Request for Comments (RFCs):

Magical Quotes in PHP (by Philip Olson, 2008-04-15)
Magic Quotes in PHP, the Finalé (by Daniel Convissor, 2011-07-18)

Faucal answered 10/7, 2011 at 18:11 Comment(5)

The "neat" way of undoing it is slow, it's O(n), not too bad but can still cause problems with huge input. – Difference 10/7, 2011 at 18:16

@Nicklas A. It may be slow, but on first sight, this seems to be the fastest possible way to undo magic quotes. Could you elaborate on how this code could be improved? And if n is the size of the whole POST body, any algorithm undoing a text encoding on it will take O(n), won't it? – Faucal 10/7, 2011 at 18:19

No, of course there is no other solution. I merely meant that modifying the php.ini is a far better solution :) – Difference 10/7, 2011 at 18:25

And yes, the algorithm would be Ω(n) – Difference 10/7, 2011 at 18:27

@Lading Bonin Don't forget to reload apache afterwards. After that, check the output of phpinfo - you may have modified the CLI php.ini instead of the apache one. Also, check with a trivial php script (<?php echo(htmlspecialchars($_POST['x']));) – Faucal 10/7, 2011 at 18:36

This is due to magic quotes, you should turn it off.

And here is how you turn it off: http://www.php.net/manual/en/security.magicquotes.disabling.php

You do it either via php.ini or by removing slashes from all variables in $_GET and $_POST, obviously the former is the recommended way to go.

As Will Martin suggests you can also change it via a .htaccess like this:

php_flag magic_quotes_gpc off

More info here: http://php.net/manual/en/configuration.changes.php

Difference answered 10/7, 2011 at 18:10 Comment(3)

Will accept when S/O lets me. Never figured such a crazy "feature" could exist. Asked my admin to disable it, because sadly, ini_set won't work. Grr. – Lading 10/7, 2011 at 18:16

ini_set only works on stuff that happens after the script has been parsed and sadly the escaping happens before. Magic quotes are evil and only causes problem, never solves them. Especially as people might rely on them for stuff. – Difference 10/7, 2011 at 18:24

You can disable it using .htaccess - that happens before the page is parsed. php_flag magic_quotes_gpc Off in your .htaccess. – Groupie 10/7, 2011 at 18:55

check http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc option in php.ini

Thymol answered 10/7, 2011 at 18:11 Comment(0)

It sounds like your server has magic quotes turned on - you can take a look at http://www.php.net/manual/en/security.magicquotes.disabling.php for a thorough discussion of ways to disable them.

Elatia answered 10/7, 2011 at 18:12 Comment(0)

Recommended topics

Hot tags