I shared a few emails with a reader last week that concerned an interesting issue with ColdFusion POSTs (form submissions) to PHP code. I thought I'd share what we found and see if anyone else has seen this behavior as well. PHP developers are welcome to post their comments as well, although I know it's hard times for them with their language dieing and all that. Anyhoo....

The reader, Anthony, created a simple ColdFusion page to perform a POST and return the result:

<cfhttp method="POST" url="http://test.local/test.php"> <cfhttpparam type="formField" name="msg" value="I \ am"> </cfhttp> <cfoutput>#cfhttp.filecontent#</cfoutput>

Note the \ in the string passed to the msg form field.

His PHP page did:

<?php echo $_POST['msg']; ?>

I modified his ColdFusion code to also perform the same POST to a ColdFusion page. That page did:

<cfoutput>#form.msg#</cfoutput> <cfdump var="#getHTTPRequestData()#">

It isn't exactly the same as the PHP code. I output the form variable as well as the HTTP request structure.

So what happens? PHP outputs:

I \\ am

ColdFusion outputs:

I \ am

So, err, what the heck? According to the docs, all values sent in the POST are URLEncoded. I know that ColdFusion automatically decodes URL parameters, so I assume its doing it for Form vars as well which would explain why it had no problem displaying form.msg, but PHP showed it escaped.

I tried setting encoding=false on the cfhttpparam tag but it didn't help any in PHP. I then looked up "URLDecode" in PHP. I wasn't too optimistic about this as: I \ am didn't look like a normal URL encode. PHP does in fact have such a function, but it didn't help.

Finally I tried one more thing. I URLEncoded the value myself:

<cfhttpparam type="formField" name="msg" value="#urlEncodedFormat('I \ am')#" encoded="true" >

and decoded it in PHP:

<?php echo urldecode($_POST['msg']); ?>

And that worked. But then Anthony came back to me with the real answer. Apparently PHP has a feature called Magic Quotes. It automatically escapes this stuff because it assumes you are sending it to a database. ColdFusion will also auto escape strings, but it's smart enough to only do it when actually inserting into a database. Apparently this is something being removed from PHP, and Anthony wrote up on a note on this at his site: Knowledge Base: Backslashses are inserted before certain characters when my bot replies

So as I said earlier - what the heck?!?! I don't do much work with PHP, and when I have, it wasn't integrated with ColdFusion, but I assume this is expected behavior? Anyone else run into this?