Page 1 of 1

php mysql retain \ in data typed

Posted: Fri Jun 03, 2011 12:21 pm
by cjkeane
hi everyone.

i'm trying to figure out how to retain slashes typed in form fields which are saved into a mysql database.
for e.g. if \\ is typed, \\ is saved. if \ is typed, \ is saved.

i'm stumped. any helpful hints?

Code: Select all

<?php
function safe($var){ 
   
        $pattern = '/&(#)?[a-zA-Z0-9]{0,};/'; 
        
        if (is_array($var)) {    // If variable is an array 
            $out = array();      // Set output as an array 
            foreach ($var as $key => $v) {      
                $out[$key] = safe($v);         // Run formspecialchars on every element of the array and return the result. Also maintains the keys. 
            } 
        } else { 
            $out = $var; 
            while (preg_match($pattern,$out) > 0) { 
                $out = htmlspecialchars_decode($out,ENT_QUOTES);       
            }                             
            $out = htmlspecialchars(mysql_real_escape_string(trim($out)), ENT_QUOTES,'UTF-8',true);     
            
        } 
      
        return $out; 

}


?>

Re: php mysql retain \ in data typed

Posted: Fri Jun 03, 2011 5:48 pm
by Jonah Bron
8O

For a string, mysql_real_escape_string() by itself is quite sufficient. And htmlspecialchars() is for output, not input.

Re: php mysql retain \ in data typed

Posted: Mon Jun 06, 2011 3:09 pm
by cjkeane
thanks for the insight. i'm now using the following:

Code: Select all

<?php
function safe($str) 
{ 
$str = trim(htmlentities(strip_tags($str))); 
if(get_magic_quotes_gpc()) 
$str = stripslashes($str); 
$str = mysql_real_escape_string($str); 
return $str; 
}  
?>
and on the form side of things:

Code: Select all

<?php
 	$FullName = safe($_POST['FullName']);
?>
as the initial value of the form field, i have

Code: Select all

<?php echo $FullName; ?>
when data is saved and echo'd back, i am still having \ duplicated. do you have any further insight for me?

thanks.

Re: php mysql retain \ in data typed

Posted: Mon Jun 06, 2011 5:50 pm
by Jonah Bron
Here's what you do.

This is how you get the POST data.

Code: Select all

$FullName = $_POST['FullName'];
Here is how you save it to a database.

Code: Select all

mysql_query('query here "' . mysql_real_escape_string($FullName) . '"');
And this is how you output it:

Code: Select all

htmlspecialchars($FullName);
mysql_real_escape_string() is meant to stop SQL injection. Htmlspecialchars is meant to stop Cross-Site-Scripting (XSS). For this situation, you don't need anything else. If you want to trim() it, that's fine, but it doesn't make your application more secure. If you want to strip HTML tags, you can do that if you want. That's for if you don't want any HTML in the string.

Re: php mysql retain \ in data typed

Posted: Thu Jun 09, 2011 11:57 am
by social_experiment
cjkeane wrote:when data is saved and echo'd back, i am still having \ duplicated. do you have any further insight for me?
stripslashes() would remove the extra slash.

Re: php mysql retain \ in data typed

Posted: Fri Jun 10, 2011 11:13 am
by Apollo
cjkeane wrote:thanks for the insight. i'm now using the following:

Code: Select all

<?php
function safe($str) 
{ 
...etc
It's been more or less pointed out already, but if you use one generic "safe" function like this, you're making a big (but common) mistake. Strings from or for exactly WHAT are supposed to be made safe here??

Consider this: Stripping tags from input (GET or POST) strings, or escaping strings to put them in SQL queries, or convertings special characters to html entities to put them in HTML output, are three completely different things.