Page 1 of 1

Problem with stripslashes()

Posted: Tue Jul 25, 2006 7:54 am
by sejf83
Hi all,

I have a form the posts variables to a processing page. On the processing pages, I am making the posted variables into $_SESSION variables so that I can prefill the form and return the user to it in case there are submission errors. I am running the following code to process the posted variables:

Code: Select all

function clean($input, $maxlength)
{
    $input = substr($input, 0, $maxlength);
    $input = EscapeShellCmd($input);
    return ($input);
}

// Get and clean the user inputs
$fileTitle = clean($_POST["fileTitle"], 50);
$fileDesc = clean($_POST["fileDesc"], 1000);

//Create an array to hold the form variables in case there is a submission error
$_SESSION["formVars"]["fileTitle"] = $fileTitle;
$_SESSION["formVars"]["fileDesc"] = $fileDesc;

   if(empty($_SESSION["formVars"]["fileTitle"]))
      $_SESSION["formErrors"]["fileTitle"] = "<span>You must give the document a title</span>\n";

   if(empty($_SESSION["formVars"]["fileDesc"]))
      $_SESSION["formErrors"]["fileDesc"] = "<span>You provide a description of the file</span>";
   if(!empty($_SESSION["formErrors"]))
   {
      header("Location: addFile.php");
   }
If the user is returned to the form, I am running the following code to prefill the form fields with the values he/she originally entered:

Code: Select all

//Define a function to process form errors
function fieldError($fieldName, $formErrors)
{
   if(isset($_SESSION[$formErrors][$fieldName]))
      echo "<span>".$_SESSION[$formErrors][$fieldName]."</span><br />";
}

<form name="addFile" action="addFileProcess.php" method="post" enctype="multipart/form-data">
<table cellspacing="10">
<tr>
<td>File title:</td>
<td><?php echo fieldError("fileTitle", "formErrors");?><input name="fileTitle" type="text" size="40" maxlength="50" value="<?php echo stripslashes($_SESSION["formVars"]["fileTitle"]);?>"></td>
</tr>
<tr>
<td>File description:</td>
<td><?php echo fieldError("fileDesc", "formErrors");?>
<textarea name="fileDesc" cols="32" rows="8"><?php echo stripslashes($_SESSION["formVars"]["fileDesc"]); ?></textarea></td>
</tr>
</table>
</form>

<?php  
unset($_SESSION["formVars"]);
unset($_SESSION["formErrors"]);
?>

The problem is that stripslashes() is not stripping the backslashes added with the "clean" function. I can't figure out where I am going wrong, as the function works fine on values pulled from a database.

Can anyone help? Here is a link to my phpinfo() page...

http://lab.slais.ucl.ac.uk:8036/~p100saj/check.php

Thanks.

Posted: Tue Jul 25, 2006 8:13 am
by MarK (CZ)
As I look in the documentation, EscapeShellCmd() doesn't seem to be the best option, since it escapes all these characters: #&;`|*?~<>^()[]{}$\, \x0A and \xFF.

Why do you actually want to escape it? I think that $_SESSION variables don't have to be escaped.

Posted: Tue Jul 25, 2006 8:14 am
by choppsta
Your PHP configuration has magic_quotes_gpc on. This means all your $_GET, $_POST and $_COOKIE variables automatically have slashes added to them. You're then using escapeshellcmd() which then adds some more slashes. Therefore when you strip slashes you're left with one set of slashes.

This highlights exactly why magic_quotes_gpc is a bad idea because it gets very confusing!!

Posted: Tue Jul 25, 2006 8:21 am
by jayshields
Instead of your clean() function, why not set the maxlength attribute in your HTML form inputs, and then just use mysql_real_escape_string() on the POST'd data?

Posted: Tue Jul 25, 2006 9:13 am
by MarK (CZ)
You really can't depend on maxlength attribute, any html can be changed by user.
Input checking must take place at least on server, clientside test is optional..

Posted: Tue Jul 25, 2006 9:53 am
by sejf83
Perhaps I could strip all of the slashes with a str_replace instead?

I keep generating an error with this code:

Code: Select all

str_replace("\", "", $_SESSION["formVars"]["fileDesc"]);
How can I replace the slashes with nothing? Or is that possible?

Posted: Tue Jul 25, 2006 9:55 am
by Benjamin
This would solve your problem..

Code: Select all

foreach ($_POST as $key => $value)
{
    $_POST[$key] = stripslashes($value);
}
Placed at the top of your scripts..

Posted: Tue Jul 25, 2006 11:45 am
by sejf83
Hmm...that didn't help.

Posted: Tue Jul 25, 2006 11:54 am
by jayshields
MarK (CZ) wrote:You really can't depend on maxlength attribute, any html can be changed by user.
Input checking must take place at least on server, clientside test is optional..
What do you mean HTML can be changed by any user? Ok, the user could make a HTML form which sends the data to your script, this data could be too long for your script to handle, and will produce errors if the database field it's being put in is too small to hold it. What would the user gain from doing that?

You are correct in stating that validation should take place atleast on the server, I'm not disputing that.

Posted: Wed Jul 26, 2006 6:05 am
by MarK (CZ)
Let the db field be eg. TEXT. It can hold up to 2^16 - 1 characters, so it probably won't produce any error, just fill your db with some unwanted crap.. Always better to check what you get.

Posted: Wed Jul 26, 2006 6:11 am
by Benjamin
jayshields wrote:Ok, the user could make a HTML form which sends the data to your script, this data could be too long for your script to handle, and will produce errors if the database field it's being put in is too small to hold it.
MySQL would just truncate it, without throwing an error.