PHP 5.3 automatically escapes $_GET/$_POST from form strings?

Question

My server admin recently upgraded to PHP 5.3 and I\'m getting a weird \"bug\" (or feature, as the PHP folks have it). I had mysql_real_escape_string around most

Answer 1

This "feature" is known as magic_quotes_gpc and does not protect you from all SQL injection attacks (addslashes is called on every element of the input superglobals such as $_POST and $_GET. This ignores the actual input/database encoding). It is therefore deprecated and should not be used.

The official php manual includes a neat way to undo it in php code, but you should just turn it off.

Answer 2

This is due to magic quotes, you should turn it off.

And here is how you turn it off: http://www.php.net/manual/en/security.magicquotes.disabling.php

You do it either via php.ini or by removing slashes from all variables in $_GET and $_POST, obviously the former is the recommended way to go.

---

As Will Martin suggests you can also change it via a .htaccess like this:

php_flag magic_quotes_gpc off

More info here: http://php.net/manual/en/configuration.changes.php

Answer 3

check http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc option in php.ini

Answer 4

It sounds like your server has magic quotes turned on - you can take a look at http://www.php.net/manual/en/security.magicquotes.disabling.php for a thorough discussion of ways to disable them.