Page 1 of 1

mysql_real_escape_string

Posted: Sat Mar 03, 2007 2:11 pm
by psychotomus
When I insert the following

Code: Select all

<a href="http://www.amateurmatch.com/index.php?ainfo=NTczMXwxN3wzMg==&atcc=1" target="_top">
            <img src="http://www.datinggold.com/show.banner.php?bid=32" width="468" height="60" border="0"></a>    

using

Code: Select all

mysql_real_escape_string
it comes out like this

Code: Select all

<a href=\"http://www.amateurmatch.com/index.php?ainfo=NTczMXwxN3wzMg==&atcc=1\" target=\"_top\">
            <img src=\"http://www.datinggold.com/show.banner.php?bid=32\" width=\"468\" height=\"60\" border=\"0\"></a>
how do i fix this?

Posted: Sat Mar 03, 2007 2:17 pm
by feyd
Sounds like you have Magic quotes on.

Using get_magic_quotes_gpc() selectively call stripslashes() on the data first.

Posted: Sat Mar 03, 2007 11:08 pm
by psychotomus
Thanks Sir.

Posted: Sat Mar 03, 2007 11:18 pm
by Luke
if you search around the forums, a few members have written functions that recursively call stripslashes on the various superglobals (or whatever else you want to pass to them). I believe arborint wrote one, so search for posts by him with stripslashes() as the search term

Posted: Sun Mar 04, 2007 12:26 am
by AKA Panama Jack
Here's one...

Code: Select all

if (get_magic_quotes_gpc())
{
	function strip_gpc_slashes(&$array)
	{
		if (!is_array ($array))
			return;
		foreach($array as $key => $val)
			is_array( $array[$key] ) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes ($array[$key]));
	}
	$gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_FILES);
	strip_gpc_slashes($gpc);
}

Posted: Sun Mar 04, 2007 12:52 am
by jmut
AKA Panama Jack wrote:Here's one...

Code: Select all

if (get_magic_quotes_gpc())
{
	function strip_gpc_slashes(&$array)
	{
		if (!is_array ($array))
			return;
		foreach($array as $key => $val)
			is_array( $array[$key] ) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes ($array[$key]));
	}
	$gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_FILES);
	strip_gpc_slashes($gpc);
}
It is strongly recommended not to do this recursively as this is an easy way to crash apache, supplying data like index.php?var=[][][][][] ...
you get the idea.

Code: Select all

//here is as snippet you could call as first thing you in your code.

        if (get_magic_quotes_gpc()) {
            $in = array(&$_GET, &$_POST, &$_COOKIE);
            while (list($k,$v) = each($in)) {
                foreach ($v as $key => $val) {
                    if (!is_array($val)) {
                        $in[$k][$key] = stripslashes($val);
                        continue;
                    }
                    $in[] =& $in[$k][$key];
                }
            }
            unset($in);
        }

Posted: Sun Mar 04, 2007 2:26 am
by AKA Panama Jack
jmut wrote: It is strongly recommended not to do this recursively as this is an easy way to crash apache, supplying data like index.php?var=[][][][][] ...
you get the idea.
I just entered...

http://www.testsite.com/index.php?var=[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

And then entered the same thing with one 10 times larger. No crash. :) Reason? Those are not considered arrays.

And if it were possible to cause a crash using something like this then it would be just as easy using your example. :)