My server admin recently upgraded to PHP 5.3 and I'm getting a weird "bug" (or feature, as the PHP folks have it). I had mysql_real_escape_string
around most of my string form data for obvious safety reasons, but now it seems this escaping is already done by PHP.
<?php
echo $_GET["escaped"];
?>
<form method="get">
<input type="text" name="escaped" />
</form>
This outputs, if I enter for instance escape 'this test'
, escape \'this test\'
. Same goes if I use POST
instead of GET
.
Is it directly tied to the 5.3 upgrade or could my admin have triggered some automatic switch in the php.ini file?
Also, should I just leave it as is (in the event that it is indeed a good fail proof mechanism that correctly catches all get and post variables), or should I disable it (if that's even possible!) and go back to mysql_real_escape_string
? My guts tell me approach 2 would be best, but approach 1 would be somewhat automagical. :)
EDIT: Actually, I need to disable it. Sometimes I gather the form data and resend it to the client form in case something was wrong (i.e. missing field), so I don't want him/her to have slashes appearing out of nowhere.
This "feature" was known as magic_quotes_gpc
(ini setting) (archived from) and did not protect you from all SQL injection attacks (addslashes
is called on every element of the input superglobals such as $_POST
and $_GET
. This ignored the actual input/database encoding). It was therefore deprecated (PHP 5.3, removed in 5.4) and should not be used (archived from).
The official PHP manual included a neat way to undo it in php code (archived from), but you should have just turned it off.
Related PHP Request for Comments (RFCs):