Cookies With Special Characters

admin

Administrator
Staff member
I am creating a web site using PHP, and need to pass certain strings via a cookie. I use setcookie() to store the cookie and $_COOKIE[] to retrieve it. All goes well until the stored string contains a backslash (\) or a single or double quote. In that case, when I retrieve the cookie it comes with 3 extra backslashes. Example:<br /><br /> I store Sam's and I get back Sam\\\'s<br /><br /> I store Sam\'s and I get back Sam\\\\\\\'s<br /><br />This does not happen when I test locally on my own machine; it only started happening when I moved the site over to TCH for beta testing. I can't strip the backslashes out of the retrieved string, because sometimes I put a backslash in myself, as in the second example. I can't use setrawcookie() because it plain forbids such characters in the first place.<br /><br />Tech support at TCH has declined to help or advise me. What's going on here, and what can I do about it?<!--content-->
The backslashes are probably being added because <a href="http://us.php.net/manual/en/security.magicquotes.php" target="_blank">magic quotes</a> is on. Magic quotes automatically escapes all quotes and backslashes in post, get & cookie data. Use stripslashes() to remove the slashes. get_magic_quotes_gpc() will return true if it's enabled, false if not.<!--content-->
Welcome to the forums erawlins <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" /><br /><br /><!--quoteo--><div class='quotetop'>QUOTE<!--content-->
Welcome to the forum, erawlins. <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" /><!--content-->
Thanks, that makes sense. But why am I getting so *many* backslashes -- three, to be exact? I am including this cookie string in a SQL statement, and MySQL doesn't like it at all.<br /><br />I can't stripslashes because the SQL parameter may actually have a quote in it and require a backslash -- for example, "select * from customer where last_name = 'O\'Neill'". Will that work if there are 3 slashes instead of one? <br /><!--content-->
Welcome to the forums erawlins <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" /><br /><br />I am not good as a PHP programmer. But I guess the second slash is added by magiciquotes_gpc while reading back from the cookie file. FYI, gpc stands for get, post, cookie that's it works when any or all of the above methods is called. You can turn off magic quotes by using php_flag in .htaccess. Feel free to ping support if you need assistance in turnig it off for your account.<br /><br /><!--content-->
It is somehow being processed by magic quotes twice. Maybe it's a value passed in through POST from a form causing 'O'Neill' to be escaped as 'O\'Neill'. If the value were then written as is to a cookie, when it was later passed back to PHP the backslash (\\) and quote (\') would again be escaped resulting in 'O\\\'Neill', etc.<!--content-->
This all makes a lot of sense. I think I know enough to proceed now. Thanks for all the help!<!--content-->
 
Back
Top