| Built into PHP is a handy feature referred to as Magic Quotes. Magic Quoteswhen enabledwill automatically escape single and double quotation marks in the values of variables. This can help prevent problems when working with databases or HTML. But, if I enter into a form some text that includes an apostrophe (Figure 2.5), the resulting page looks strange when the text is reprinted (Figure 2.6). Figure 2.5. Quotation marks entered into form values can be disruptive in your Web applications (see Figure 2.6). 
Figure 2.6. The apostrophe entered in the form was escaped automatically by PHP, generating unseemly results. 
In PHP there are two main types of Magic Quotes: magic_quotes_gpc, which applies to form, URL, and cookie data (gpc stands for get, post, cookie); and magic_quotes_runtime, which applies to data retrieved from external files and databases. If Magic Quotes is enabled on your server, you can undo its effect using the stripslashes() function. $var = stripslashes($var);
This function will remove any backslashes found in $var. In the form example, this will have the effect of turning an escaped submitted string back to its original, non-escaped value. To adjust for Magic Quotes 1. | Open handle_form.php (refer to Script 2.2) in your text editor.
| 2. | Change the first and third variable assignment lines to read (Script 2.3)
$name = stripslashes($_REQUEST  ['name]); $comments = stripslashes($_REQUEST ['comments]);
Script 2.3. The stripslashes() function will counteract the effects of Magic Quotes, removing unnecessary backslashes. 
Now the $name and $comments variables will be assigned the values of their associated $_REQUEST variables, but with any backslashes removed. These are currently the only two variables that must be cleansed of backslashes. Presumably the email address will not contain one (or else it would be invalid) and the age and gender inputs have preset values.
| 3. | Save the file, upload to your Web server, and test in your Web browser (Figure 2.7).
Figure 2.7. Applying the stripslashes() function to the form values will undo the effects of Magic Quotes (compare with Figure 2.6). 
|
 Tips
PHP includes a third form of Magic Quotesmagic_quotes_sybasewhich has its own peculiarities and is less often used. A double backlash (\\) will be turned into a single backslash by the stripslashes() function. When form data is being used with a databaseas you'll see in Chapter 7, "Using PHP with MySQL"Magic Quotes (or a similar security measure) are important, as they prevent problematic characters from breaking the database query. In Chapter 7, you'll also learn a trick for automatically using the stripslashes() function if magic_quotes_gpc is enabled on your server. You can emulate what Magic Quotes does if it's disabled by using the opposite of the stripslashes() function, addslashes(). When working with strings stemming from forms, it's also a good idea to use the TRim() function, which removes excess white spaces from both ends of the value. $name = trim($name);
|
