I shared a few emails with a reader last week that concerned an interesting issue with ColdFusion POSTs (form submissions) to PHP code. I thought I'd share what we found and see if anyone else has seen this behavior as well. PHP developers are welcome to post their comments as well, although I know it's hard times for them with their language dieing and all that. Anyhoo....
The reader, Anthony, created a simple ColdFusion page to perform a POST and return the result:
1 <cfhttp method="POST" url="http://test.local/test.php">
2 <cfhttpparam
3 type="formField" name="msg" value="I \ am">
4 </cfhttp>
5 <cfoutput>#cfhttp.filecontent#</cfoutput>
Note the \ in the string passed to the msg form field.
His PHP page did:
2 <cfhttpparam
3 type="formField" name="msg" value="I \ am">
4 </cfhttp>
5 <cfoutput>#cfhttp.filecontent#</cfoutput>
1 <?php
2 echo $_POST['msg'];
3 ?>
I modified his ColdFusion code to also perform the same POST to a ColdFusion page. That page did:
2 echo $_POST['msg'];
3 ?>
1 <cfoutput>#form.msg#</cfoutput>
2 <cfdump var="#getHTTPRequestData()#">
It isn't exactly the same as the PHP code. I output the form variable as well as the HTTP request structure.
So what happens? PHP outputs:
2 <cfdump var="#getHTTPRequestData()#">
ColdFusion outputs:I \\ am
So, err, what the heck? According to the docs, all values sent in the POST are URLEncoded. I know that ColdFusion automatically decodes URL parameters, so I assume its doing it for Form vars as well which would explain why it had no problem displaying form.msg, but PHP showed it escaped. I tried setting encoding=false on the cfhttpparam tag but it didn't help any in PHP. I then looked up "URLDecode" in PHP. I wasn't too optimistic about this as: I \\ am didn't look like a normal URL encode. PHP does in fact have such a function, but it didn't help. Finally I tried one more thing. I URLEncoded the value myself:I \ am
1 <cfhttpparam type="formField" name="msg" value="#urlEncodedFormat('I
2 \ am')#" encoded="true" >
and decoded it in PHP:
2 \ am')#" encoded="true" >
1 <?php
2 echo urldecode($_POST['msg']);
3 ?>
And that worked. But then Anthony came back to me with the real answer. Apparently PHP has a feature called Magic Quotes. It automatically escapes this stuff because it assumes you are sending it to a database. ColdFusion will also auto escape strings, but it's smart enough to only do it when actually inserting into a database. Apparently this is something being removed from PHP, and Anthony wrote up on a note on this at his site: Knowledge Base: Backslashses are inserted before certain characters when my bot replies
So as I said earlier - what the heck?!?! I don't do much work with PHP, and when I have, it wasn't integrated with ColdFusion, but I assume this is expected behavior? Anyone else run into this?
2 echo urldecode($_POST['msg']);
3 ?>
Comment 1 written by Cory McHugh on 26 June 2009, at 9:22 AM
Magic quotes has been discouraged since php 4, and in most hosted php installations it is disabled by default.
I'm pretty sure php is going to die any day though, because people HATE free stuff... :D
Comment 2 written by Fred on 26 June 2009, at 10:14 AM
As was stated, they're going away in the next version. Shops that code PHP seriously have already turned them off.
PHP had a lot of features built in that tried to prevent bad coders from shooting themselves in the feet. They're slowly righting the ship.
Comment 3 written by Anthony on 26 June 2009, at 12:06 PM