Rogue slashes

This was a regression that came out with a particular release of PHP. I documented it here.

Submitted content ends up with garbage quotes and backslashes : \"\\ "\\\\ etc. A magic_quotes_gpc issue

Can anyone post the exact PHP version & date that you are seeing this on? It should have been fixed upstream in the update released here
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-0831.html

thank you to everyone who posted. My site(s) are on Hostmonster as well, and the magic quotes trick worked for me as well.

can't say thank you enough.

Six years with Bluehost and Never had a problem with them until now... Thanks you guys for the quick help. I'm wondering how do you realized how to fix the problem????

See page

Submitted content ends up with garbage quotes and backslashes : \"\\ "\\\\ etc. A magic_quotes_gpc issue
http://drupal.org/node/1437998

Ok, I finally received an email from someone with a little more authority at Hostmonster. In all fairness, I thought I would post their response here. I'm still probably going to get a better (more expensive) host as soon as I am able to, but I wanted to make sure to say that prior to this episode, I received fantastic support from Hostmonster, considering they are a low-budget shared hosting platform. I just can't afford to have something like this happen again. I'm at the stage in my business where I need a VPN at minimum, where I control the upgrades. Here is the response I received today, after many, many blunders along the way:

Here is the first email I sent to Hostmonster, this was after an extremely unsatisfactory call to tech support, and several rants on twitter, which finally got their attention and response. I was asked to please submit a detailed support request through the interface, so they could track it better than a phone call:

Today I received a call from a friend, asking for help with his Drupal 6 site (premiereventconcepts.net). He had been updating content (which has been done at least four times in the past week). He had saved updates four or five times in the previous minutes. At 11:44 EST (according to his log file) he saved it again, and all of his apostrophes were being escaped, like this: That\'s Not Right.

He tried to delete the apostrophes, but they showed back up. He deleted the content entirely, then recreated it with a different title, same problem. He tried to update a different piece of content. Same result. When the data is being written to the database, the \ is being put in. He called me, I verified these steps for him, then proceeded to check a Drupal 7 site on the same server. Same result. I had been working on that site earlier in the day, and it wasn't happening then. I then proceeded to check another project of mine on a DIFFERENT account (fouronefourproductions.com), which is running Drupal 7.12, and I just built last week. I had updated content earlier today with no issues, and have not run any updates or downloaded any new code since Monday. It has the same problem. Every time I update or create content (CRUD functions), the apostrophes are escaped. I realized at this point that it was time to call support. I called support, was put on hold for 10 minutes, and when the person came back, I was told that nothing had been updated and it was a Drupal issue.

Here's the problem with that. At 11:34 EST, content was being updated on two different hostmonster accounts (not just two websites, but two accounts) that are running two DIFFERENT versions of Drupal. One is the latest version, one is not. There were no issues. At 11:44 EST, \ started showing up on two different hostmonster accounts, even though no code updates or other back-end changes had been made. Only content added to the MySQL database. That's it. I don't see how it could possibly be a "drupal" issue when something works perfectly, is not changed, and ten minutes later it no longer does, across multiple hostmonster accounts. I explained this all to your support person and was brushed off.

I would have totally understood the response "I can't find anything wrong right now, but I've notified my superiors and we are looking into it." The response: "We didn't make any changes so it must be a drupal issue" after receiving EXACLTY the same explanation I've just given in this email, right down to "the code base has not changed" and "two separate accounts are affected" (I've confirmed a third since then.)

Overall, I've been extremely happy with Hostmonster Support, especially considering you are a lower-end shared hosting company. That's why I've had an account with you since 2007. That's why I've set up 19 clients on hostmonster servers. I wasn't expecting the problem to be fixed over the phone call, considering the problem just happened 20 minutes before, but I wasn't expecting to be told "it's a Drupal problem" either. Especially when I had gone through the confirmation I had prior to the phone call. Assuming your clients are idiots is bad enough. Communicating that to them this way is just really bad for customer support.

Later in the afternoon, after finding the solution here, I called Hostmonster back and told them again what had happened, and how to fix it. I also asked them to cancel my support request, they said they would.

Later that evening, I received the following email:

I apologize for the trouble you've been having.

I have done a little testing and found that this is being caused by a setting called "magic quotes gpc" which can be enabled/disabled using the php.ini file.

Try changing

magic_quotes_gpc = On

to

magic_quotes_gpc = Off

in your public_html/php.ini file and let me know if this solves the problem for you.

I laughed a little and emailed them back:

This was the issue. I talked to about 30 other blue host and hostmonster customers using Drupal who had the same issue online. We had come up with that as well. Any idea why that happened?

Tech Support's response:

Hello,

It seems to have something to do with the way Drupal is handling escapes however its not something that was caused by Hostmonster.

Which set me over the edge:

Really? Wow. So you are saying that on Friday morning, when everything worked perfectly, even though I didn't change anything in the Drupal codebase at all, didn't update anything, didn't add anything, somehow, magically, my codebase changed? Because if you didn't change settings, run an update, or something, then that means Drupal employs magic fairies that arbitrarily change code bases.

This response you just gave me here has cemented the fact that I will be looking for another host provider.

Also, please see this information regarding why the issue belongs to a php release: http://drupal.org/node/1437998

And this issue, where it was fixed: http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-0831.html

I have also found reports that this issue is not isolated to Ubuntu php.

The point is, no one thinks you guys did anything WRONG... but the issue was absolutely CAUSED by some upgrade you did. It may be a problem with Drupal, but If its working one minute, and nothing is changed, and not working the next, and this is confirmed across multiple accounts, installations, and over 40 users... why in the world would you try to claim that nothing you did caused it? It makes you look stupid. No one wants stupid tech support.

Finally, I got the following response from them:

I can't apologize enough for this situation that has occurred here. YES there was an UPGRADE done on OUR END. We did a bunch of upgrades and changes to PHP 5.2.17 and PHP 5.3.10

http://code.google.com/p/php52-backports/

as a reference as to part of what we did on our centOS 6 servers.

I have yet to get the admin responsible for the upgrades to confirm exactly how this would have affected sites post-upgrade for those who had or didn't have magic_quotes_gpc set to off. (as he was not in at the time of this ticket response)

That being said, I am sorry that our front line of support failed you in the support that we offered you.

What I can say is...this has been brought to the attention of our supervisors and those responsible for disseminating information out to us, so things like this don't occur in the future.

Unfortunately I am unable to make guarantee's in said support, and in the future, if you find you are getting pushback from our level 1 techs, maybe have them either transfer you to a L2 scripting tech (If this is a call in) or move the ticket to the L2 scripting queue. Or our L3 techs.

They usually have the most up to date information on what has been upgraded, changed, etc... that could possibly be affecting your site.

I know this more then likely doesn't repair the relationship between us. I just didn't want you to think that all support here had gone downhill and degraded, if you are still resolved in leaving us.

Despite our hangups and our growing pains, I still feel we are a better shared hosting company then most other offerings.

We are always trying to improve and fix our issues. Even though it may not appear that way.

As far as the last two paragraphs of that email go, I agree. I do think Hostmonster provides great support for a shared host. But it doesn't matter. I need better. I was told by four, count them FOUR different people in Tech Support that NO changes had been made to any of my three servers, in spite of any reasonable argument to the contrary. At least two of them checked with superiors while I was on the phone. One left me on hold for 15 minutes, then came back and told me that it was a Drupal problem, nothing they had done. This was after he had spent 10 minutes on the phone with me convinced it was a MySQL problem. I know very little about servers, or coding, and I knew (it was the first question out of my mouth) that this had been caused by a php upgrade. Its the only thing that made sense. The fact that, basically, this tech had a superior tell him to say that to me is just... severely disrespectful.

So, if you have non mission-critical sites that are perfect for Shared Hosting, for the most part Hostmonster is a great place for you to be. If your site can't afford this kind of thing... You shouldn't be on shared hosting anyway. I've learned my lesson.