PHP :: Bug #28779 :: url decoding of POST varables

Bug #28779	url decoding of POST varables
Submitted:	2004-06-14 18:15 UTC	Modified:	2004-06-15 09:09 UTC
From:	john at pearcey dot net	Assigned:
Status:	Not a bug	Package:	HTTP related
PHP Version:	4CVS-2004-06-14 (stable)	OS:	Windows XP 5.1.2600
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	john at pearcey dot net
New email:
PHP Version:		OS:

New Comment:

[2004-06-14 18:15 UTC] john at pearcey dot net

Description:
------------
I am using the Java class HttpURLConnection to post variables to a php script and I'm encoding them using URLEncoder (UTF-8). The POST variables do not seem to be decoded correctly when a double or single quote is in the stream. A backslash character is prepended to it making it impossible for me to send for example: 

select * from MyTable where MyColumn="brill"

I end up with 
select * from MyTable where MyColumn=\"brill\"

I have checked the string going to the server and it lookes like this for the example above:

select+*+from+MyTable+where+MyColumn%3D%22brill%22

which of course is correct for UTF-8.

I have not tested this on Linux.

Reproduce code:
---------------
HttpURLConnection l_connection = (HttpURLConnection)m_url.openConnection();
		l_connection.setDoOutput( true );

		String l_postVars = URLEncoder.encode("MySQL", "UTF-8") + "=" + URLEncoder.encode("select * from MyTable where MyColumn=\"brill\"", "UTF-8");

		OutputStreamWriter l_os = new OutputStreamWriter( l_connection.getOutputStream() );
		l_os.write( l_postVars, 0, l_postVars.length() );
		l_os.flush();

PHP code:
echo $_POST['MySQL'];


Expected result:
----------------
select * from MyTable where MyColumn="brill"

Actual result:
--------------
select * from MyTable where MyColumn=\"brill\"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-06-14 19:16 UTC] pollita@php.net

The problem you're experiencing is unrelated to the decoding of the post variables.  (Which is actually working fine)

In your php.ini file you have magic_quote_gpc set to 'on'.  When this option is enabled PHP will automatically add backslashes to ' and " characters received via GET, POST, or COOKIE.  It's meant to make it trivial to avoid SQL injection attacks, but in practice tends to be more of an annoyance.

Either:
  (A) Turn off magic_quotes_gpc, or
  (B) Use stripslashes() to remove the effects of M_Q_GPC

See Also:
  http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc

  http://www.php.net/get_magic_quotes_gpc

[2004-06-14 20:57 UTC] john at pearcey dot net

Thanks for your reply - I didn't even think it might be a special reature!!

Sorry to have bothered you and thanks for your help.

[2004-06-15 09:09 UTC] derick@php.net

It's still bogus.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue May 13 07:01:26 2025 UTC