Page 1 of 1
Addslashes and stripslashes problem.
Posted: Fri Mar 03, 2006 1:31 pm
by ron_j_m
What I have is a form that allows a user to imput text or html.
The form data is saved to a config file.
The problem comes when a user wants to use a backslash " \ ".
When I use stripslashes it removes the backslash.
Here is an example of what I am doing:
Code: Select all
//GET RID OF MAGIC QUOTES
if (get_magic_quotes_gpc()) {
$_POST = array_map('stripslashes', $_POST);
}
//GET POST DATA
if (isset($_POST['content'])){
$content=$_POST['content'];}
if (isset($_POST['content2'])){
$content2=$_POST['content2'];}
//TURN POST DATA INTO ARRAY
$config = array(
$content=>"$content",
$content2=>"$content2"
);
//ADDSLASHES
$config = array_map('addslashes', $config);
//WRITE CONFIG DATA TO CONFIG FILE.......
foreach //blablabla.......
It seems to work fine, adding the slashes correctly but when I display the form any intential backslashes are gone.
Code: Select all
<textarea name="content" cols="50" rows="5" id="content"><?php echo htmlentities(stripslashes($content));?>
So if I put: Hello, my name is "Ron" \
into the form only Hello, my name is "Ron" is returned. No backslash.
Any Ideas as to why this happens and someway to fix it?
Thanks
Ron
Posted: Fri Mar 03, 2006 2:00 pm
by sheila
You don't need to stripslashes when you echo the content.
Posted: Fri Mar 03, 2006 2:41 pm
by ron_j_m
If a single quote is inserted into the form and I dont use stripslashes then the single quote returns with the backslash.
Example:
My name is 'Ron'. My name is "Ron" \
Saves to config file:
My name is \'Ron\'. My name is \"Ron\" \\
Returns when echoed:
My name is \'Ron\'. My name is "Ron" \
Any Ideas?
Posted: Fri Mar 03, 2006 2:56 pm
by Gambler
Saves to config file:
My name is \'Ron\'. My name is \"Ron\" \\
Why do you need extra slashes in config file?
Posted: Fri Mar 03, 2006 3:05 pm
by ron_j_m
If I don't escape quotes it will throw errors.
So for example if someting like this was entered into the form:
<font color="black">
It will produce this error:
Parse error: parse error, unexpected T_STRING in /config.php on line 10
Ron
Posted: Fri Mar 03, 2006 3:21 pm
by jmut
Code: Select all
if (get_magic_quotes_gpc()) {
$_REQUEST = array_strip_slashes($_REQUEST);
$_GET = array_strip_slashes($_GET);
$_POST = array_strip_slashes($_POST);
set_magic_quotes_runtime(0);
}
function array_strip_slashes($arr)
{
if (!is_array($arr)) return stripslashes($arr);
foreach ($arr as $key => $value) {
if (is_array($value)) {
array_walk($value, 'array_strip_slashes');
$arr[$key] = $value;
} else {
$arr[$key] = stripslashes($arr[$key]);
}
}
return $arr;
}
Try with this code.
Basically the problem I think is you forget to set set_magic_quotes_runtime(0); so that when you are adding slashes you are sure they don't take
affect also (hence adding_slash twice).
Posted: Fri Mar 03, 2006 3:52 pm
by ron_j_m
Nope same problem.
Still when I echo out $content using stripslashes it will strip out any intentinal backslashes ( \ )
example form data input: 'hello' \
example with stripslashes echo: 'hello'
and when I echo without stripslashes it displays the intentinal backslash properly but it leaves in the backslash before a quote.
example form data input: 'hello' \
example without stripslashes echo: \'hello\' \
Any other ideas?
Ron
Posted: Fri Mar 03, 2006 4:41 pm
by ron_j_m
I found this in the php manual pages
It should be of note that if you are stripping slashes to get rid of the slashes added by magic_quotes_gpc then it will also remove slashes from \. This may not seem that bad but if you have someone enter text such as 'testing\' with a slash at the end, this will cause an error if not corrected. It's best to strip the slashes, then add a slash to every single slash using $text = str_replace('\\', '\\\\', $text);
It seems to be working but it just seems odd that this is how it has to be done.
I wish there were some other options.
Ron
Posted: Fri Mar 03, 2006 4:47 pm
by feyd
it might be more how it's used.. as I've never had to do that to "fix" an issue with stripslashes being over zealous.
Posted: Fri Mar 03, 2006 7:38 pm
by sheila
ron_j_m wrote:If I don't escape quotes it will throw errors.
So for example if someting like this was entered into the form:
<font color="black">
It will produce this error:
Parse error: parse error, unexpected T_STRING in /config.php on line 10
Ron
Have you tried defining the the 'quote_style' parameter in htmlentities?
Code: Select all
<?php echo htmlentities($content, ENT_QUOTES);