Page 1 of 1

stripslashes

Posted: Fri Feb 15, 2008 8:30 am
by thatsme
Hello,

Code: Select all

 
$act=$_POST['submit'];
 
if(empty($act))
  $act='form';
 
if($act=='post')
{
  $mistake=array();
  $name = $_POST['name'];
  $desc = $_POST['desc'];
  
  if(empty($name))
   array_push($mistake, 'Name is empty');
  if(empty($desc))
   array_push($mistake, 'Desc is empty');
  
  if(count($mistake) >0)
  {
   $mistake_message="<table>";
   foreach($mistake as $m)
   { 
    $mistake_message.="<tr><td>$m</td></tr>";
   }
   $mistake_message.="</table>";
   $act='form';
  }
 else
 {
  if(!get_magic_quotes_gpc)
  {
    $name = addslashes($name);
    $desc = addslashes($desc);
  }
  {
    //nothing 
  }
  
 //insert into db
 
}
}
 
if($act == 'form')
{
  //if error then show these values
  $name = htmlspecialchars(stripslashes($name), ENT_QUOTES);
   $desc = htmlspecialchars(stripslashes($desc));
 
   
  echo "$mistake_message
<form method='post' action='members.php'>
        <input type='text' name='name' value='$name'>
        <textarea name='desc'>$desc</textarea>"
<input type='submit' name='submit' value='post'>;
}
 
I looked at, http://in.php.net/stripslashes and tried the above code, I would like to know if any modifications that has to be done to avoid problems of inserting names like O'reilly and displaying in textfield and in textarea.

Thanks

Re: stripslashes

Posted: Fri Feb 15, 2008 1:24 pm
by RobertGonzalez
Are you talking about for a database insert? Yes, there will be problems with your code.

Please clarify what your intent is.

Re: stripslashes

Posted: Fri Feb 15, 2008 8:24 pm
by thatsme
Thanks for replying.
Are you talking about for a database insert? Yes, there will be problems with your code.

Please clarify what your intent is.
I am not asking about sql injection. I am concerned with displaying the data. If i type Oriely's in textarea or in textbox and if an error occurs for some reason the control come back and shows the form. In the form it should display the same data which i typed (it should not add extra \ and i also observed the characters after ' character disappear). So i tried,

Code: Select all

//for text $name = htmlspecialchars(stripslashes($name), ENT_QUOTES);   //for textarea $desc = htmlspecialchars(stripslashes($desc));
.
If i insert into database, the data should be inserted correctly. In the same way i should be able to extract those data from database and display in the samefield (I will be using the same form for editing).


Thanks

Re: stripslashes

Posted: Sat Feb 16, 2008 1:00 am
by RobertGonzalez
You might to check against magic quotes being on. I think the function you want is get_magic_quotes_gpc().

Re: stripslashes

Posted: Sat Feb 16, 2008 8:53 am
by thatsme
You might to check against magic quotes being on. I think the function you want is get_magic_quotes_gpc().
I have allready doing it before inserting into database.

Code: Select all

 
..... 
 if(!get_magic_quotes_gpc)
  {
    $name = addslashes($name);
    $desc = addslashes($desc);
  }
   {
    //nothing
   }
  
  //insert into db
  
 }
..........
 
Should i have to do the same before displaying? like,

Code: Select all

 
 if($act == 'form')
 {
   //if error then show these values
 
    if(get_magic_quotes_gpc){ // iam checking for magic quotes
      $name = htmlspecialchars(stripslashes($name), ENT_QUOTES);
      $desc = htmlspecialchars(stripslashes($desc));
  }
    
   echo "$mistake_message
 <form method='post' action='members.php'>
        <input type='text' name='name' value='$name'>
        <textarea name='desc'>$desc</textarea>"
 <input type='submit' name='submit' value='post'>;
 }
 

Re: stripslashes

Posted: Sat Feb 16, 2008 10:06 am
by RobertGonzalez
Are you adding the opening and closing parentheses at the get_magic_quotes_gpc()?

Re: stripslashes

Posted: Sat Feb 16, 2008 8:01 pm
by thatsme
Are you adding the opening and closing parentheses at the get_magic_quotes_gpc()?
No. I modified now. Now is it OK?

Code: Select all

 
 .....
 if(!get_magic_quotes_gpc())  //corrected
   {
     $name = addslashes($name);
     $desc = addslashes($desc);
  }
    {
     //nothing
    }
  
   //insert into db
  
  }
 
 
if($act == 'form')
  {
    //if error then show these values
 
    if(get_magic_quotes_gpc()){ // iam checking for magic quotes.  Corrected code
      $name = htmlspecialchars(stripslashes($name), ENT_QUOTES);
      $desc = htmlspecialchars(stripslashes($desc));
  }
   
    echo "$mistake_message
 <form method='post' action='members.php'>
        <input type='text' name='name' value='$name'>
       <textarea name='desc'>$desc</textarea>"
  <input type='submit' name='submit' value='post'>;
  }
 

Re: stripslashes

Posted: Sun Feb 17, 2008 1:28 pm
by RobertGonzalez
That should work. In this case a simple test using var_dump() could give you more information than we could here.

Re: stripslashes

Posted: Mon Feb 18, 2008 1:42 am
by Mordred
1. (re: "//insert into db") Avoid using addslashes. It is inadequate for protection against SQL injection in many cases.
2. Your code will be insecure if magic_quotes is off.
3. Always specify correct encoding in htmlspecialchars (and there's no hurt in always using ENT_QUOTES as well)