I shared a few emails with a reader last week that concerned an interesting issue with ColdFusion POSTs (form submissions) to PHP code. I thought I'd share what we found and see if anyone else has seen this behavior as well. PHP developers are welcome to post their comments as well, although I know it's hard times for them with their language dieing and all that. Anyhoo....
The reader, Anthony, created a simple ColdFusion page to perform a POST and return the result:
<cfhttp method="POST" url="http://test.local/test.php">
<cfhttpparam
type="formField" name="msg" value="I \ am">
</cfhttp>
<cfoutput>#cfhttp.filecontent#</cfoutput>
Note the \ in the string passed to the msg form field.
His PHP page did:
<?php
echo $_POST['msg'];
?>
I modified his ColdFusion code to also perform the same POST to a ColdFusion page. That page did:
<cfoutput>#form.msg#</cfoutput>
<cfdump var="#getHTTPRequestData()#">
It isn't exactly the same as the PHP code. I output the form variable as well as the HTTP request structure.
So what happens? PHP outputs:
I \\ am
ColdFusion outputs:
I \ am
So, err, what the heck? According to the docs, all values sent in the POST are URLEncoded. I know that ColdFusion automatically decodes URL parameters, so I assume its doing it for Form vars as well which would explain why it had no problem displaying form.msg, but PHP showed it escaped.
I tried setting encoding=false on the cfhttpparam tag but it didn't help any in PHP. I then looked up "URLDecode" in PHP. I wasn't too optimistic about this as: I \ am didn't look like a normal URL encode. PHP does in fact have such a function, but it didn't help.
Finally I tried one more thing. I URLEncoded the value myself:
<cfhttpparam type="formField" name="msg" value="#urlEncodedFormat('I
\ am')#" encoded="true" >
and decoded it in PHP:
<?php
echo urldecode($_POST['msg']);
?>
And that worked. But then Anthony came back to me with the real answer. Apparently PHP has a feature called Magic Quotes. It automatically escapes this stuff because it assumes you are sending it to a database. ColdFusion will also auto escape strings, but it's smart enough to only do it when actually inserting into a database. Apparently this is something being removed from PHP, and Anthony wrote up on a note on this at his site: Knowledge Base: Backslashses are inserted before certain characters when my bot replies
So as I said earlier - what the heck?!?! I don't do much work with PHP, and when I have, it wasn't integrated with ColdFusion, but I assume this is expected behavior? Anyone else run into this?
Archived Comments
http://us.php.net/magic_quotes
Magic quotes has been discouraged since php 4, and in most hosted php installations it is disabled by default.
I'm pretty sure php is going to die any day though, because people HATE free stuff... :D
You may also want to consider: http://us.php.net/stripslashes
As was stated, they're going away in the next version. Shops that code PHP seriously have already turned them off.
PHP had a lot of features built in that tried to prevent bad coders from shooting themselves in the feet. They're slowly righting the ship.
For some reason, a default install of MAMP has magic quotes enabled by default.