$_GET & $HTTP_GET_VARS return different results

Hi,

Hoping someone can help, I have a sql query which is passed to the
script via the url, this is like:-

&stmt=select%20*%20from%20table%20where%20(%20stat us!='Closed'%20.....

If I look at $_GET['stmt'], this gives:-
select * from tickets where ( status=''Closed'' ......
If I look at $HTTP_GET_VARS['stmt'], this gives:-
select * from tickets where ( status=\'Closed\' ......

To get the query back again I run through stripslashes(), however
obviously this will have no affect with the $_GET['stmt'] variable.

So to my question, why am I getting differing results I believed that
the two variables were always the same, why is the ' not being escaped
with a \???

I am running php 5.0.3 on apache

Would appreciate some enlightenment, as I am beginning to pull my hair
out. I only have this problem with sqlite queries, mySQL queries are
escaped correctly in $_GET['stmt'].

Thanks in advance

Chris

*** Chris Cox escribió/wrote (Thu, 03 Mar 2005 01:02:30 +0000):
> I have a sql query which is passed to the
> script via the url, this is like:-
>
> &stmt=select%20*%20from%20table%20where%20(%20stat us!='Closed'%20.....

So that the user can manually rewrite the URL to
"&stmt=DELETE%20FROM%0table"?


> If I look at $_GET['stmt'], this gives:-
> select * from tickets where ( status=''Closed'' ......
> If I look at $HTTP_GET_VARS['stmt'], this gives:-
> select * from tickets where ( status=\'Closed\' ......

Check this page: http://www.php.net/magic_quotes

If you cannot disable magic quotes for the whole server try to either
disable it for your script or detect it and unescape if necessary. Magic
quotes are evil.

Also, backup your database often, it'll get hacked pretty soon if you don't
change your design :)


--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Manda tus dudas al grupo, no a mi buzón
-+ Send your questions to the group, not to my mailbox
--