php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #13520 Wrong handling of the escape characters.
Submitted: 2001-10-02 16:06 UTC Modified: 2001-10-02 19:46 UTC
From: mcdouglas at angelfire dot com Assigned:
Status: Not a bug Package: Output Control
PHP Version: 4.0.6 OS:
Private report: No CVE-ID: None
 [2001-10-02 16:06 UTC] mcdouglas at angelfire dot com
In a html: <a href="test.php?str=some'thing">test</a>

And the test.php:
<?
echo $str;
?>

I used the win32 binary version of the php.

In the link I put the "some'thing" into the str variable whivh will pass to the script if i click on the Testlink.

I read in the manual the ' " \ are special character, and I must escape them with a \. Ok, I didn't used the \ before the ' in the something text, so I think the normal is that I get some error message...
But no: thw script will output the "some\'thing" text... which are funy because if I put the $str into a database (with a mysql_query) it will contain the original text: some'thing.

And if I use the \ in my link (like this: test.php?str=some\'thing) then the script will output the "some\\\'thing"... But I think it must output the "some'thing" because I used the \ before the '.

So, could be this a bug? I think so... 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-10-02 16:24 UTC] zak@php.net
This is not a bug. There is a configuration setting that 
controls this behavior.

Review the configuration section of the manual  
(http://www.php.net/manual/en/configuration.php)
Specifically, read the entries on them magic_quotes 
directives.

 [2001-10-02 19:46 UTC] jeroen@php.net
And you're mixing up a PHP enviroment and a HTML enviroment. They both have their own rules for escaping. See the HTML specs for how HTML handles things
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Sep 23 04:01:27 2019 UTC