Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

%27 and ' - urlencode

0 views
Skip to first unread message

elyob

unread,
Sep 9, 2005, 6:21:02 AM9/9/05
to
Quite a lot of my data has apostrophes in. I'm passing the data using $_POST
and urlencode. So, for example, Joe's becomes Joe%27s.

On the next page, I urldecode and display the name in the META title. It
comes out as Joe\'s.

When I pass it once again, it becomes Joe\\\'s.

What am I doing wrong here?

Thanks


Oli Filth

unread,
Sep 9, 2005, 6:28:52 AM9/9/05
to
elyob said the following on 09/09/2005 11:21:

http://www.php.net/manual/security.magicquotes.php

If you can, disable this feature, cos it's really annoying, as you've
just found out!


--
Oli

elyob

unread,
Sep 9, 2005, 7:02:41 AM9/9/05
to

"Oli Filth" <ca...@olifilth.co.uk> wrote in message
news:EtdUe.25$2y...@newsfe7-win.ntli.net...

Great stuff. Thanks for that, the default php.ini had this. It's now gone. I
seem to remember one of the main PHP developers writing that magic quotes is
stupid and should be dropped.

Geoff Berrow

unread,
Sep 9, 2005, 8:10:44 AM9/9/05
to
I noticed that Message-ID: <43216bc2$1...@news1.homechoice.co.uk> from
elyob contained the following:

>Great stuff. Thanks for that, the default php.ini had this. It's now gone. I
>seem to remember one of the main PHP developers writing that magic quotes is
>stupid and should be dropped.

You only need to url encode data that is going in a URL (duh...).

And don't forget that your database security is now down to you in this
and all future projects.

(you could have just used stripslashes() )
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Oli Filth

unread,
Sep 9, 2005, 12:05:24 PM9/9/05
to
Geoff Berrow said the following on 09/09/2005 13:10:

> I noticed that Message-ID: <43216bc2$1...@news1.homechoice.co.uk> from
> elyob contained the following:
>
>
>>Great stuff. Thanks for that, the default php.ini had this. It's now gone. I
>>seem to remember one of the main PHP developers writing that magic quotes is
>>stupid and should be dropped.
>
>
> You only need to url encode data that is going in a URL (duh...).
>
> And don't forget that your database security is now down to you in this
> and all future projects.

Yes, I'll echo that sentiment.

>
> (you could have just used stripslashes() )

IMO, using mysql_real_escape_string() once to put a value into a SELECT
query is far less annoying than having to use stripslashes() all over
the place...

Furthermore, magic quotes don't escape all the necessary characters to
make a string safe for SQL.


--
Oli

Jamie Davison

unread,
Sep 9, 2005, 2:04:05 PM9/9/05
to
Not sure if you necessarily want to urlencode/decode here. All you really
need here is . . .

$data = stripslashes($_POST['field']);
echo $data;


On 9/9/05 6:21 AM, in article 432161fd$1...@news1.homechoice.co.uk, "elyob"

0 new messages