Page 1 of 1
stripslashes
Posted: Fri Feb 15, 2008 8:30 am
by thatsme
Hello,
Code: Select all
$act=$_POST['submit'];
if(empty($act))
$act='form';
if($act=='post')
{
$mistake=array();
$name = $_POST['name'];
$desc = $_POST['desc'];
if(empty($name))
array_push($mistake, 'Name is empty');
if(empty($desc))
array_push($mistake, 'Desc is empty');
if(count($mistake) >0)
{
$mistake_message="<table>";
foreach($mistake as $m)
{
$mistake_message.="<tr><td>$m</td></tr>";
}
$mistake_message.="</table>";
$act='form';
}
else
{
if(!get_magic_quotes_gpc)
{
$name = addslashes($name);
$desc = addslashes($desc);
}
{
//nothing
}
//insert into db
}
}
if($act == 'form')
{
//if error then show these values
$name = htmlspecialchars(stripslashes($name), ENT_QUOTES);
$desc = htmlspecialchars(stripslashes($desc));
echo "$mistake_message
<form method='post' action='members.php'>
<input type='text' name='name' value='$name'>
<textarea name='desc'>$desc</textarea>"
<input type='submit' name='submit' value='post'>;
}
I looked at,
http://in.php.net/stripslashes and tried the above code, I would like to know if any modifications that has to be done to avoid problems of inserting names like O'reilly and displaying in textfield and in textarea.
Thanks
Re: stripslashes
Posted: Fri Feb 15, 2008 1:24 pm
by RobertGonzalez
Are you talking about for a database insert? Yes, there will be problems with your code.
Please clarify what your intent is.
Re: stripslashes
Posted: Fri Feb 15, 2008 8:24 pm
by thatsme
Thanks for replying.
Are you talking about for a database insert? Yes, there will be problems with your code.
Please clarify what your intent is.
I am not asking about sql injection. I am concerned with displaying the data. If i type Oriely's in textarea or in textbox and if an error occurs for some reason the control come back and shows the form. In the form it should display the same data which i typed (it should not add extra \ and i also observed the characters after ' character disappear). So i tried,
Code: Select all
//for text $name = htmlspecialchars(stripslashes($name), ENT_QUOTES); //for textarea $desc = htmlspecialchars(stripslashes($desc));
.
If i insert into database, the data should be inserted correctly. In the same way i should be able to extract those data from database and display in the samefield (I will be using the same form for editing).
Thanks
Re: stripslashes
Posted: Sat Feb 16, 2008 1:00 am
by RobertGonzalez
You might to check against magic quotes being on. I think the function you want is
get_magic_quotes_gpc().
Re: stripslashes
Posted: Sat Feb 16, 2008 8:53 am
by thatsme
You might to check against magic quotes being on. I think the function you want is get_magic_quotes_gpc().
I have allready doing it before inserting into database.
Code: Select all
.....
if(!get_magic_quotes_gpc)
{
$name = addslashes($name);
$desc = addslashes($desc);
}
{
//nothing
}
//insert into db
}
..........
Should i have to do the same before displaying? like,
Code: Select all
if($act == 'form')
{
//if error then show these values
if(get_magic_quotes_gpc){ // iam checking for magic quotes
$name = htmlspecialchars(stripslashes($name), ENT_QUOTES);
$desc = htmlspecialchars(stripslashes($desc));
}
echo "$mistake_message
<form method='post' action='members.php'>
<input type='text' name='name' value='$name'>
<textarea name='desc'>$desc</textarea>"
<input type='submit' name='submit' value='post'>;
}
Re: stripslashes
Posted: Sat Feb 16, 2008 10:06 am
by RobertGonzalez
Are you adding the opening and closing parentheses at the
get_magic_quotes_gpc()?
Re: stripslashes
Posted: Sat Feb 16, 2008 8:01 pm
by thatsme
Are you adding the opening and closing parentheses at the get_magic_quotes_gpc()?
No. I modified now. Now is it OK?
Code: Select all
.....
if(!get_magic_quotes_gpc()) //corrected
{
$name = addslashes($name);
$desc = addslashes($desc);
}
{
//nothing
}
//insert into db
}
if($act == 'form')
{
//if error then show these values
if(get_magic_quotes_gpc()){ // iam checking for magic quotes. Corrected code
$name = htmlspecialchars(stripslashes($name), ENT_QUOTES);
$desc = htmlspecialchars(stripslashes($desc));
}
echo "$mistake_message
<form method='post' action='members.php'>
<input type='text' name='name' value='$name'>
<textarea name='desc'>$desc</textarea>"
<input type='submit' name='submit' value='post'>;
}
Re: stripslashes
Posted: Sun Feb 17, 2008 1:28 pm
by RobertGonzalez
That should work. In this case a simple test using
var_dump() could give you more information than we could here.
Re: stripslashes
Posted: Mon Feb 18, 2008 1:42 am
by Mordred
1. (re: "//insert into db") Avoid using addslashes. It is inadequate for protection against SQL injection in many cases.
2. Your code will be insecure if magic_quotes is off.
3. Always specify correct encoding in htmlspecialchars (and there's no hurt in always using ENT_QUOTES as well)