Magic quotes and strings

See more about:

Where are we?

You know how to get form data into a PHP program. Let’s talk about an annoying thing that PHP does to text strings.

This lesson’s goals

In this lesson, you learn:

  • That PHP’s magic quotes feature adds extra backslashes to text.
  • How to use the stripslashes() function to fix the problem.

Strings with quotes

Look at the name form again. Here it is, with some data:

Input

Figure 1. Input

When the user clicks the button, the form data is sent to this page:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Strict//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title></title>
  </head>
  <body>
    <?php
    $first_name = $_POST['first_name'];
    $surname = $_POST['surname'];
    ?>
    <p>Your name is <?php print $first_name . ' ' . $surname; ?>.</p>
  </body>
</html>

Figure 2. Process form data

Here is the output:

Output

Figure 3. Output

No problem.

But suppose the user has a name with a quote (’) in it, like this:

Input with quote

Figure 4. Input with quote

This is the result:

Output with quote

Figure 5. Output with quote

There’s a backslash in the output (\). You can try it.

Huh? Where did that backslash come from?

The magic quotes setting

PHP has a bunch of settings that change how it works. For example, you can set the maximum time a PHP program is allowed to run.

One of the settings is “magic quotes.” It’s either on or off. When it’s on, PHP looks at all the text data coming in from forms. If it finds a quote, it will put a backslash in front of it. So it converts De'ev to De\'ev.

If magic quotes is off, no conversion happens. De'ev stays De'ev.

Here’s the output again:

Output with quote

Figure 4 (again). Output with quote

This came from a PHP program running on a server. The server had magic quotes on. Hence the backslash.

I turned magic quotes off, and ran the program again. I got:

No backslash

Figure 5. No backslash

Renata
Renata

Er, why did the PHP people do this magic quotes thing?

Kieran
Kieran

It helps with security in some situations. But it causes problems, as well. For De’ev, and others.

Many people think that magic quotes was a bad idea. It didn’t solve many security problems. And anyway, there are better ways to handle those security issues it did solve.

Magic quotes will be dropped in the next major version of PHP.

Getting rid of the backslashes

There are two ways to get rid of the extra backslashes. One way is to turn the magic quotes setting off in PHP. But to do that, you need access to a special settings file. You may or may not have access, depending on your hosting account.

The second way is to call PHP’s stripslashes() function. It does what its name says. You give it a string, and it goes through and removes the backslashes.

Here’s the code again, with a slight change:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Strict//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title></title>
  </head>
  <body>
    <?php
    $first_name = $_POST['first_name'];
    $first_name = stripslashes($first_name);
    $surname = $_POST['surname'];
    $surname = stripslashes($surname);
    ?>
    <p>Your name is <?php print $first_name . ' ' . $surname; ?>.</p>
  </body>
</html>

Figure 6. Using stripslashes()

Lines 10 strips out the slashes from $first_name, and puts the result back into $first_name. Line 12 does the same for $surname.

You could also write it like this:

<?php
$first_name = stripslashes($_POST['first_name']);
$surname = stripslashes($_POST['surname']);
?>
<p>Your name is <?php print $first_name . ' ' . $surname; ?>.</p>

Figure 7. Using stripslashes() again

It works the same. Line 9 takes the value of the form field first_name, strips out the backslashes, and puts the result into $first_name.

You could also do this:

<?php
$first_name = $_POST['first_name'];
$surname = $_POST['surname'];
?>
<p>Your name is <?php print stripslashes($first_name) . ' ' . stripslashes($surname); ?>.</p>

Figure 8. Using stripslashes() again again

This version moves the calls to stripslashes() to the output.

Exercise: Remove the slashes

Write an HTML page with a form that has one field, like this:

Input

Figure 1. Input

When the button is clicked, the data is sent to a PHP page that shows whatever data the user typed. If there is a quote (’) in the data, no slashes appear in the output. Like this:

Output

Figure 2. Output

You can try my solution to see how it works. You can download my solution, but do the exercise yourself before you look at the files.

Upload your solution to your server. Put the URL below.

(Log in to enter your solution to this exercise.)

Summary

In this lesson, you learned:

  • That PHP’s magic quotes feature adds extra backslashes to text.
  • How to use the stripslashes() function to fix the problem.

What now?

Let’s see how you can do computations on form data.


How to...

Lessons

User login

Log in problems? Try here


Dogs