I am passing a variety of session variables successfully, but my problem is that when outputting session variables, they always have ' ' around them. Example from the welcome page after registering through a form

Registration Date 5/12/2008
Thank you 'Bill' 'Bunsonburner', you are now registered.
We welcome you to Work At Home. An email is being sent to 'press@lunarcafe.com' with comfirmation of regisration
Your user name is 'mortimer' and your password is 'corrina333'
(this is all bogus info) The date above is a session variable with no ' ' around it. The rest of the variables have the ' '. how do I get rid of the ' '?

The code from the form page is simple enough
<?php
session_start();
$_SESSION['user']= $_POST['user'];
$_SESSION['first_name'] = $_POST['first_name'];
$_SESSION['last_name'] = $_POST['last_name'];
$_SESSION['email'] = $_POST['email'];
$_SESSION['company'] = $_POST['company'];
$_SESSION['pass'] = $_POST['pass'];
$_SESSION['date'] = $_POST['date'];
$_SESSION['logon_date'] = $_POST['logon_date'];

?> The form data is not shown, its just a normal html form. This is header information
There is a form handling page inbetween that runs the form data through reg expressions, verifies the data and does the magic quotes thing then inserts the data into a batabase.


The code from the welcome page (example above output) is probably over kill but still quite simple



$com = $_SESSION['company'];
$first = $_SESSION['first_name'];
$last = $_SESSION['last_name'];
$mal = $_SESSION['email'];
$use = $_SESSION['user'];
$pas = $_SESSION['pass'];
$date = $_SESSION['date'];
$ldate = $_SESSION['logon_date'];

print "<div id=\"header\">";
print "<h1>Welcome $com";
print "</h1></div>";

print "<div id=\"content\">";
print "Registration Date $ldate <br />";
print "Thank you $first $last, you are now registered.<br />";
print "We welcome you to Work At Home. An email is being sent to $mal with comfirmation of regisration<br />";
print "Your user name is $use and your password is $pas <br />";

Everything works, its just the annoying punctuation that shows up. Any ideas? Thanks for reading

You might just need to use print_r every now and then to determine when the quotes are being added. For example, use
print "<pre>\n";
print_r($_POST);
print "</pre>\n";
right after you print the BODY tag to verify the condition of the POST data. Then, maybe immediately before displaying the data, use
print "<pre>\n";
print_r($_SESSION);
print "</pre>\n";
to verify that the data is being tainted before it is interpolated. Assuming the first print_r shows good data and the second shows bad data, throw a few more print_r statements around (using $_SESSION) before/after some statements that modify/use $_SESSION.

Maybe someone else sees something obvious that we're both missing. But, it's probably best to narrow the problem down to a block or line of code that's tainting the data. In this case, repeatedly calling print_r on that data is probably the quickest way to track the problem down.

Thanks Jon, I will give that a shot right now

Doscovered the problem! First, thank you very much for your suggestions. I am leavign the Print_r in 'just in case'

the problem was a function

function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value))
{
$value = "`" . mysql_real_escape_string($value) . "`";
}
return $value;
}

if you notice the last line on each side of the real escape string, there is a " ' ". I removed the ' and bingo, all my problems went away.

Thanks again, much appreciated

Cool, I'm happy you found it [so quickly].