Stripslashes on PHP form

Question

I have an HTML form which after it's submitted is supposed to present the form fields into a PHP file inside an echo statement (which also contains HTML elements)

The problem I have is that while the results are produced as expected, on specific cases when form entries have " or ' in there, they're unescaped in the results.php page

My files:

form.html

<form action="./results.php" method="post" id="sgemail">  
  <table align="center" border="1" width="60%" style="border-color: #D2DFF5;">
    <tr>
      <td width="50%" style="padding-left: 8px; text-align: left;">
        <div class="form-group">
          <strong>Article 1 Title<br /></strong>
            <input type="text" class="form-control" id="ifn1title" placeholder="" name="ifn1title"><br />
          <strong>Article 1 URL<br /></strong>
            <input type="text" class="form-control" id="ifn1url" placeholder="" name="ifn1url">
        </div>
      </td>
      <td width="50%" style="padding-left: 8px; text-align: left;">
        <div class="form-group">
          <strong>Article 1 Description<br /></strong>
            <textarea rows="5" class="form-control" cols="10" name="ifn1desc" form="sgemail"></textarea>
        </div>
      </td>
    </tr>
  </table>
  <table align="center" width="60%">
    <tr>
      <td align="center" width="33%" style="padding-left: 8px; text-align: left;">
        <input class="btn btn-primary" type="submit" value="Generate Results HTML Code">
      </td>
    </tr>
  </table>
</form>

results.php

<?php
  if (isset($_POST['ifn1title']))
  if (isset($_POST['ifn1url']))
  if (isset($_POST['ifn1desc']))
    {
      $form_ifn1t = $_POST['ifn1title'];
      $form_ifn1u = $_POST['ifn1url'];
      $form_ifn1d = $_POST['ifn1desc'];

echo "
<table style=\"background-color:#D6E3F0;\" bgcolor=\"#D6E3F0\" align=\"center\" width=\"100%\">
  <tr align=\"center\">
    <td align=\"center\"><br />

<textarea id=\"selectori\" rows=\"50\" cols=\"120\" onclick=\"this.focus();this.select()\" readonly=\"readonly\">

    <ul>
      <li><a href=\"$form_ifn1u\"><strong>$form_ifn1t</strong></a><br />$form_ifn1d</li>
    </ul>

</textarea>
    </td>
  </tr>
</table>";
}
?>

When I submit the form,

The results in the corresponding locations come up as

<ul>
  <li><a href="http://www.example.com"><strong>\"Article\"</strong></a><br />\"Test Description\"</li>
</ul>

How do I fix it so the results come up clean as below ?

<ul>
  <li><a href="http://www.example.com"><strong>Article</strong></a><br />Test Description</li>
</ul>

Thanks

Edit:

I added the following on top of my php file and this fixed my issue

{
    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
}

It this ok with protecting against code injection? Thanks

Answer 1

I am in PHP 5.3.29 How do I turn off magic quotes on this single file

You don't want to do that. You want them gone, entirely, once and for all.

See here for what they are, why they exist, why they're bad and how to disable them.

Long story short, you should really upgrade your PHP version.

If you cannot do that, you should probably change hosters or throw away anything that's keeping you from doing so.

The third best option is to disable magic quotes:

php_flag magic_quotes_gpc Off

And the worst option, if you really cannot do any of the above is to stripslashes for every entry in $_GET, $_POST, $_COOKIE and $_REQUEST if you use them.
Because you can't disable magic quotes at runtime.
Copied 1:1 from here:

<?php
if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

In your case, that would be just

$form_ifn1t = stripslashes($_POST['ifn1title']);
$form_ifn1u = stripslashes($_POST['ifn1url']);
$form_ifn1d = stripslashes($_POST['ifn1desc']);

But please upgrade your PHP version!

Answer 2

Best way to echo html and php is like:

<?php echo "<div class='my-class'>some HTML here, but i want my ".$php_variable." also in this text</div>";?>

It's btw always a hassle using " in PHP code when you echo with "". So i always use the single ' so i don't have to exclude the ".

PS: echoing $_POST variables directly isn't the safest way. To make sure you are somewhat protected against code injection make sure to use something basic like the below:

$sendVar = stripslashes(htmlentities($_POST['var']));

This should also fix any issues with posts containing slashes