php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28779 url decoding of POST varables
Submitted: 2004-06-14 18:15 UTC Modified: 2004-06-15 09:09 UTC
From: john at pearcey dot net Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4CVS-2004-06-14 (stable) OS: Windows XP 5.1.2600
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: john at pearcey dot net
New email:
PHP Version: OS:

 

 [2004-06-14 18:15 UTC] john at pearcey dot net
Description:
------------
I am using the Java class HttpURLConnection to post variables to a php script and I'm encoding them using URLEncoder (UTF-8). The POST variables do not seem to be decoded correctly when a double or single quote is in the stream. A backslash character is prepended to it making it impossible for me to send for example: 

select * from MyTable where MyColumn="brill"

I end up with 
select * from MyTable where MyColumn=\"brill\"

I have checked the string going to the server and it lookes like this for the example above:

select+*+from+MyTable+where+MyColumn%3D%22brill%22

which of course is correct for UTF-8.

I have not tested this on Linux.

Reproduce code:
---------------
HttpURLConnection l_connection = (HttpURLConnection)m_url.openConnection();
		l_connection.setDoOutput( true );

		String l_postVars = URLEncoder.encode("MySQL", "UTF-8") + "=" + URLEncoder.encode("select * from MyTable where MyColumn=\"brill\"", "UTF-8");

		OutputStreamWriter l_os = new OutputStreamWriter( l_connection.getOutputStream() );
		l_os.write( l_postVars, 0, l_postVars.length() );
		l_os.flush();

PHP code:
echo $_POST['MySQL'];


Expected result:
----------------
select * from MyTable where MyColumn="brill"

Actual result:
--------------
select * from MyTable where MyColumn=\"brill\"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-14 19:16 UTC] pollita@php.net
The problem you're experiencing is unrelated to the decoding of the post variables.  (Which is actually working fine)

In your php.ini file you have magic_quote_gpc set to 'on'.  When this option is enabled PHP will automatically add backslashes to ' and " characters received via GET, POST, or COOKIE.  It's meant to make it trivial to avoid SQL injection attacks, but in practice tends to be more of an annoyance.

Either:
  (A) Turn off magic_quotes_gpc, or
  (B) Use stripslashes() to remove the effects of M_Q_GPC

See Also:
  http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc

  http://www.php.net/get_magic_quotes_gpc
 [2004-06-14 20:57 UTC] john at pearcey dot net
Thanks for your reply - I didn't even think it might be a special reature!!

Sorry to have bothered you and thanks for your help.
 [2004-06-15 09:09 UTC] derick@php.net
It's still bogus.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Dec 07 22:03:34 2021 UTC