Quoting hell

Wednesday 4 January 2006This is almost 19 years old. Be careful.

In a comment on a recent post, Bob pointed out that the title (which has an apostrophe) acquired a backslash in the comment form. He politely asked,

Bug?

I refrained from answering sarcastically, “No, I like the extra backslash. Doesn’t it make me look cool?” In any case, I have now fixed the bug. It took me on a renewed tour of the travesty that is magic quotes, and led me to find a number of places I wasn’t doing quoting properly. I have strings passing from cookies, to PHP, to SQL, to HTML or JavaScript embedded in HTML, and finally back to cookies again. There are many handoffs between different quoting regimens, and that means lots of chances to do it wrong.

I think I finally have it nailed, but then again, I thought that last time...

Comments

[gravatar]
Back when I was writing my own blog software, I ran into the same problem(s). They became particularly acute when I added comment preview, which involves carrying the comment text through multiple POSTs adding and removing backslashes all the while. It was practically impossible to cover all of the cases. Some would say it's actually impossible; PHP forums are full of complaints about this very issue, along with dozens of (mostly incomplete or broken) workarounds. In the end that was one of the reasons I switched to WordPress and made it somebody else's problem. I simply have a lot better things to do with my time.

While we're on the subject, your email-address filter still gets me every time. It doesn't like @pl.atyp.us (have to use @atyp.us instead), then it turns "@" to "(at)" and "." to "(dot)" during preview but won't accept the result coming back. I still end up having to change my email address by hand (twice!) every time I comment here.
[gravatar]
Fixed. Now I find the MX record for atyp.us when pl.atyp.us doesn't work.

Also: you shouldn't have to deal with the (at) thing. That is accepted incoming as a legitimate address.
[gravatar]
I was hoping for a properly sarcastic response. If I find any other nits to pick, I'll try to remember to say Bug! rather than Bug?
[gravatar]
Isn't PHP great, just when you think it's helping you it's actually stabbing you in the knee with a frozen eel. Just add in a dose of addslashes, stripslashes, nl2br, urlencode, utf8_encode, htmlentities, rawurlencode, convert_encoding, mysql_escape_string, mysql_real_escape_string, htmlspecialchars, htmltranslationtable, quoted_printable_decode and the various combinations of the ini settings that change the behaviour (which may be set in the php.ini filem the apache flle, the local directory, compiled in or just set manually) and then switch error reporting off.

:-D

Add a comment:

Ignore this:
Leave this empty:
Name is required. Either email or web are required. Email won't be displayed and I won't spam you. Your web site won't be indexed by search engines.
Don't put anything here:
Leave this empty:
Comment text is Markdown.