|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28779 url decoding of POST varables
Submitted: 2004-06-14 18:15 UTC Modified: 2004-06-15 09:09 UTC
From: john at pearcey dot net Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4CVS-2004-06-14 (stable) OS: Windows XP 5.1.2600
Private report: No CVE-ID: None
 [2004-06-14 18:15 UTC] john at pearcey dot net
I am using the Java class HttpURLConnection to post variables to a php script and I'm encoding them using URLEncoder (UTF-8). The POST variables do not seem to be decoded correctly when a double or single quote is in the stream. A backslash character is prepended to it making it impossible for me to send for example: 

select * from MyTable where MyColumn="brill"

I end up with 
select * from MyTable where MyColumn=\"brill\"

I have checked the string going to the server and it lookes like this for the example above:


which of course is correct for UTF-8.

I have not tested this on Linux.

Reproduce code:
HttpURLConnection l_connection = (HttpURLConnection)m_url.openConnection();
		l_connection.setDoOutput( true );

		String l_postVars = URLEncoder.encode("MySQL", "UTF-8") + "=" + URLEncoder.encode("select * from MyTable where MyColumn=\"brill\"", "UTF-8");

		OutputStreamWriter l_os = new OutputStreamWriter( l_connection.getOutputStream() );
		l_os.write( l_postVars, 0, l_postVars.length() );

PHP code:
echo $_POST['MySQL'];

Expected result:
select * from MyTable where MyColumn="brill"

Actual result:
select * from MyTable where MyColumn=\"brill\"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-14 19:16 UTC]
The problem you're experiencing is unrelated to the decoding of the post variables.  (Which is actually working fine)

In your php.ini file you have magic_quote_gpc set to 'on'.  When this option is enabled PHP will automatically add backslashes to ' and " characters received via GET, POST, or COOKIE.  It's meant to make it trivial to avoid SQL injection attacks, but in practice tends to be more of an annoyance.

  (A) Turn off magic_quotes_gpc, or
  (B) Use stripslashes() to remove the effects of M_Q_GPC

See Also:
 [2004-06-14 20:57 UTC] john at pearcey dot net
Thanks for your reply - I didn't even think it might be a special reature!!

Sorry to have bothered you and thanks for your help.
 [2004-06-15 09:09 UTC]
It's still bogus.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Dec 03 07:03:34 2021 UTC