Now lets make a simple form processor to show how machines
with magic quotes enabled will escape those potentially
risky characters. This form submits to itself, so you only
need to make one file, "magic-quotes.php" to test it out.
magic-quotes.php Code:
echo "Altered Text: ".$_POST['question'];
?>
This simple form will display to you what magic quotes is
doing. If you were to enter and submit the string: Sandy
said, "It's a beautiful day outside and I like to use \'s."
You would receive the following output.
Display:
Altered Text: Sandy said, \"It\'s a beautiful day outside
and I like to use \\\'s.\"
Magic quotes did a number on that string, didn't it? Notice
that there is a backslash before all of those risky
characters we talked about earlier. After magic quotes:
A backslash \ becomes \\
A quote ' becomes \'
A double-quote " becomes \"
Now say that you wanted to remove the escaping that magic
quotes puts in, you have two options: disable magic quotes
or strip the backslashes magic quotes adds.
Removing Backslashes - stripslashes()
Before you use PHP's backslash removal function
stripslashes it's smart to add some magic quote checking
like our "Are They Enabled?" section above. This way you
won't accidentally be removing slashes that are legitimate
in the future if your PHP's magic quotes setting changes in
the future.
magic-quotes.php Code:
Our new output for our string containing risky characters
would now be:
Display:
Removed Slashes: Sandy said, "It's a beautiful day outside
and I like to use \'s."
