Page 1 of 1

Addslashes and stripslashes problem.

Posted: Fri Mar 03, 2006 1:31 pm
by ron_j_m
What I have is a form that allows a user to imput text or html.
The form data is saved to a config file.
The problem comes when a user wants to use a backslash " \ ".
When I use stripslashes it removes the backslash.
Here is an example of what I am doing:

Code: Select all

//GET RID OF MAGIC QUOTES
if (get_magic_quotes_gpc()) { 
$_POST = array_map('stripslashes', $_POST); 
}

//GET POST DATA
if (isset($_POST['content'])){
$content=$_POST['content'];}

if (isset($_POST['content2'])){
$content2=$_POST['content2'];}

//TURN POST DATA INTO ARRAY
$config = array(
     $content=>"$content",
     $content2=>"$content2"
                        );

//ADDSLASHES
$config = array_map('addslashes', $config);

//WRITE CONFIG DATA TO CONFIG FILE.......
foreach //blablabla.......
It seems to work fine, adding the slashes correctly but when I display the form any intential backslashes are gone.

Code: Select all

<textarea name="content" cols="50" rows="5" id="content"><?php echo htmlentities(stripslashes($content));?>
So if I put: Hello, my name is "Ron" \
into the form only Hello, my name is "Ron" is returned. No backslash.

Any Ideas as to why this happens and someway to fix it?
Thanks
Ron

Posted: Fri Mar 03, 2006 2:00 pm
by sheila
You don't need to stripslashes when you echo the content.

Posted: Fri Mar 03, 2006 2:41 pm
by ron_j_m
If a single quote is inserted into the form and I dont use stripslashes then the single quote returns with the backslash.

Example:
My name is 'Ron'. My name is "Ron" \

Saves to config file:
My name is \'Ron\'. My name is \"Ron\" \\

Returns when echoed:
My name is \'Ron\'. My name is "Ron" \

Any Ideas?

Posted: Fri Mar 03, 2006 2:56 pm
by Gambler
Saves to config file:
My name is \'Ron\'. My name is \"Ron\" \\
Why do you need extra slashes in config file?

Posted: Fri Mar 03, 2006 3:05 pm
by ron_j_m
If I don't escape quotes it will throw errors.
So for example if someting like this was entered into the form:
<font color="black">

It will produce this error:
Parse error: parse error, unexpected T_STRING in /config.php on line 10

Ron

Posted: Fri Mar 03, 2006 3:21 pm
by jmut

Code: Select all

if (get_magic_quotes_gpc()) {
   $_REQUEST = array_strip_slashes($_REQUEST);
   $_GET = array_strip_slashes($_GET);
   $_POST = array_strip_slashes($_POST);
  
   set_magic_quotes_runtime(0);
}


function array_strip_slashes($arr)
{
   if (!is_array($arr)) return stripslashes($arr);

      foreach ($arr as $key => $value) {
      if (is_array($value)) {
      array_walk($value, 'array_strip_slashes');
      $arr[$key] = $value;
      } else {
      $arr[$key] = stripslashes($arr[$key]);
      }
   }

   return $arr;
}
Try with this code.
Basically the problem I think is you forget to set set_magic_quotes_runtime(0); so that when you are adding slashes you are sure they don't take
affect also (hence adding_slash twice).

Posted: Fri Mar 03, 2006 3:52 pm
by ron_j_m
Nope same problem.

Still when I echo out $content using stripslashes it will strip out any intentinal backslashes ( \ )
example form data input: 'hello' \
example with stripslashes echo: 'hello'

and when I echo without stripslashes it displays the intentinal backslash properly but it leaves in the backslash before a quote.
example form data input: 'hello' \
example without stripslashes echo: \'hello\' \

Any other ideas?
Ron

Posted: Fri Mar 03, 2006 4:41 pm
by ron_j_m
I found this in the php manual pages
It should be of note that if you are stripping slashes to get rid of the slashes added by magic_quotes_gpc then it will also remove slashes from \. This may not seem that bad but if you have someone enter text such as 'testing\' with a slash at the end, this will cause an error if not corrected. It's best to strip the slashes, then add a slash to every single slash using $text = str_replace('\\', '\\\\', $text);
It seems to be working but it just seems odd that this is how it has to be done.
I wish there were some other options.

Ron

Posted: Fri Mar 03, 2006 4:47 pm
by feyd
it might be more how it's used.. as I've never had to do that to "fix" an issue with stripslashes being over zealous.

Posted: Fri Mar 03, 2006 7:38 pm
by sheila
ron_j_m wrote:If I don't escape quotes it will throw errors.
So for example if someting like this was entered into the form:
<font color="black">

It will produce this error:
Parse error: parse error, unexpected T_STRING in /config.php on line 10

Ron
Have you tried defining the the 'quote_style' parameter in htmlentities?

Code: Select all

<?php echo htmlentities($content, ENT_QUOTES);