Page 1 of 1

Auto-writing formular and "magic" quotes

Posted: Sat Oct 18, 2008 4:20 pm
by neeteex
Hello,

I've spent my day on this : trying to make a formular to auto-write on itself (one file, no DB).

It does work, but quotes make me nuts :crazy:

As long as I write text with no " or ' it's OK, but if one of those appears, I get stuck with the phrase witten in formular, no way to handle it despite all my effort to add/strip slashes. :banghead:

This is the code :

Code: Select all

<?php
////////////////handle with / without magic_quotes//////////////////////////////
function stripslashes_deep( $all ) //(used later for $value and $_POST)
    {
        return ( is_array($all) ) ? array_map('stripslashes_deep', $all) : stripslashes($all);
    } 
function addslashes_deep( $all_other ) // opposite as stripslashes_deep : \ needed for comparison
    {
        return ( is_array($all_other) ) ? array_map('addslashes_deep', $all_other) : addslashes($all_other);
 
    }
//////////////// end of handling with magic_quotes//////////////////////////////    
 
 
 
$this_script = basename($_SERVER['PHP_SELF']); // makes sure to use this script's name
    
if ($_POST)
{
    if ( get_magic_quotes_gpc() == 0 ) // if not already done
        {
            $_POST  = array_map('addslashes_deep', $_POST); // puts \ before '
        }
    $old = '$value = array (
    "truc" => "chose",
    "feedback_message" => "If you put apostrophees here you will get stuck !");';
    
    $new = '$value = array (
    "truc" => "chose",
    "feedback_message" => "' . $_POST[feedback_message] . '");';
    
    
    // this will re-new the content of the value array in memory ($modif_content)
    $file=fopen($this_script,'r');
    $content=file_get_contents($this_script);
    
    if (get_magic_quotes_gpc)
    {
        $old = stripslashes ($old);// need to wipe before comparing !
    }
    $modif_content = str_replace($old, $new, $content);
    fclose($file);
 
    // open and change (write) memorised string into file
    $file2=fopen($this_script,'w+');
    fwrite($file2,$modif_content);
    fclose($file2);
    
 
    echo "<meta http-equiv='refresh' content='0';URL=" . $this_script . "?refresh=1'>"; //reload with new values
}
 
$value = array (
    "truc" => "chose",
    "feedback_message" => "If you put apostrophees here you will get stuck !");
 
    $value  = array_map('stripslashes_deep', $value); // puts \ before '
 
 
?>
<body>
    <form method="post" action="<?php echo $this_script ?>">
                        <br /><br />
                           <label for="feedback_message">What is your message ?</label><br />
                           <textarea name="feedback_message" id="feedback_message" cols="120" rows="4" tabindex="170"><?php echo $value[feedback_message]; ?></textarea>           
        <input type="submit" value="submit"/>
 
    </form>
<body>

Re: Auto-writing formular and "magic" quotes

Posted: Sat Oct 18, 2008 5:21 pm
by jaoudestudios
Use htmlentities.

I use this little gem http://www.forum.jaoudestudios.com/view ... p?f=13&t=6

Re: Auto-writing formular and "magic" quotes

Posted: Sat Oct 18, 2008 5:22 pm
by requinix
It would be much, much easier if you just wrote that stuff to a text file rather than itself.

The problem is that $old in the file isn't the same $old that the script knows. The slashes get interpreted in PHP but left in place when you read the file. Rather than stripslashes from $old you have to add slashes just to the feedback_message value.

(And by the way, your code isn't safe. I can overwrite any file in the same directory as this file if I wanted to.)

Re: Auto-writing formular and "magic" quotes

Posted: Sun Oct 19, 2008 5:21 am
by neeteex
jaoudestudios wrote:Use htmlentities.

I use this little gem http://www.forum.jaoudestudios.com/view ... p?f=13&t=6
It works ! Only thing : I can make it only if I change each variable [] [] etc. but for some reason I can't make it nore with

Code: Select all

<?php   foreach($_POST as $post){
          $post =  htmlentities($post, ENT_QUOTES, UTF-8);
    }
(does nothing) nore with

Code: Select all

<?php   $_POST = array_map('htmlentities',$_POST, ENT_QUOTES, UTF-8); 
 
(erases the array).

Only solution up to now was

Code: Select all

<?php   $_POST ["feedback_message"] = htmlentities ($_POST ["feedback_message"], ENT_QUOTES, UTF-8); 
 
I also get a warning and don't know why (apache settings ?) :
Warning: htmlentities() [function.htmlentities]: charset `-8' not supported, assuming iso-8859-1
This is the code :

Code: Select all

<?php
$this_script = basename($_SERVER['PHP_SELF']); // makes sure to use this script's name
 
if ( !empty($_POST) )
    {
    echo 'processing...';
    
    if(get_magic_quotes_gpc())
        $_POST = array_map('stripslashes', $_POST); // magic quotes are off
        
/*  foreach($_POST as $post){
          $post =  htmlentities($post, ENT_QUOTES, UTF-8);
    }
    $_POST = array_map('htmlentities',$_POST, ENT_QUOTES, UTF-8); 
    */  
    $_POST ["feedback_message"] = htmlentities ($_POST ["feedback_message"], ENT_QUOTES, UTF-8); 
 
    
    $old = '$value = array (
    "other_values" => "other_contents",
    "feedback_message" => "hello,");';
 
    $new = '$value = array (
    "other_values" => "other_contents",
    "feedback_message" => "' . $_POST["feedback_message"] . '");';
 
    // this will re-new the content of the value array in memory ($modif_content)
    $content=file_get_contents($this_script);   
    $modif_content = str_replace($old, $new, $content);
 
    // open and change (write) memorised string into file / does not work with file_put_contents($file2, $modif_content);
    $file2=fopen($this_script,'w+');
    fwrite($file2,$modif_content);
    fclose($file2);
 
    echo "<meta http-equiv='refresh' content='0';URL=" . $this_script . "?refresh=1'>"; //reload with new values
}
else
{
 
    $value = array (
    "other_values" => "other_contents",
    "feedback_message" => "hello,");
 
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" >
    <head>
        <title><?php echo $this_script ?></title>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    </head>
    <body>
        <form method="post" action="<?php echo $this_script ?>">
           <p>
               <label for="feedback_message">What is your message ?</label><br />
               <textarea name="feedback_message" id="feedback_message" cols="120" rows="4"><?php echo $value["feedback_message"]; ?></textarea>        
                <input type="submit" value="submit"/> 
           </p>
        </form>
    </body>
</html>
<?php
}
?>
 

Re: Auto-writing formular and "magic" quotes

Posted: Sun Oct 19, 2008 5:37 am
by neeteex
tasairis wrote:It would be much, much easier if you just wrote that stuff to a text file rather than itself.
I guess it would, but... let's say I like it tough. It also has advantages since I want to do several things from this sample. But if I happen to make a config.txt file in the end, I will definitly know why !
tasairis wrote: The problem is that $old in the file isn't the same $old that the script knows. The slashes get interpreted in PHP but left in place when you read the file. Rather than stripslashes from $old you have to add slashes just to the feedback_message value.
I've been trying to add and strip slashes in so many various way that I happened to figure out this was impossible for me ! The htmlentities solution seems fine.
tasairis wrote: (And by the way, your code isn't safe. I can overwrite any file in the same directory as this file if I wanted to.)
Well, this code is designed for an admin purpose, protected behind .htaccess and .htpasswd. I guess no admin will ever try to hack his own website :lol:

But on the other hand, for further use, I'd like to manage to pass my $_POST through
jaoudestudios's gem : http://www.forum.jaoudestudios.com/view ... p?f=13&t=6, would that prevent hacking ?

Unfortunatly I did not succeded up to now, for $_POST is an array and jaoudestudios's gem is designed for a string. I'd appreciate help on that, since I can't figure out how to pass arguments like ENT_QUOTES and UTF-8 to this.

Re: Auto-writing formular and "magic" quotes

Posted: Sun Oct 19, 2008 5:39 am
by jaoudestudios
foreach($_POST as $post){
$post = htmlentities($post, ENT_QUOTES, UTF-8);
}
Is pretty useless as you will overwrite $post which will leave you with the last value in the array!

This would be more useful...

Code: Select all

 
foreach($_POST as $k=>$v){
   $$k =  htmlentities($v, ENT_QUOTES, UTF-8);
}
 

Re: Auto-writing formular and "magic" quotes

Posted: Sun Oct 19, 2008 5:41 am
by jaoudestudios
NB: To make the data safe for a database, you must use mysql_real_escape_string. A slightly modified version of the function from before...http://www.forum.jaoudestudios.com/view ... p?f=13&t=7

Re: Auto-writing formular and "magic" quotes

Posted: Sun Oct 19, 2008 5:59 am
by neeteex
jaoudestudios wrote: This would be more useful...

Code: Select all

 
foreach($_POST as $k=>$v){
   $$k =  htmlentities($v, ENT_QUOTES, UTF-8);
}
 
Useful ? Well, this does not erase the post, but it seems like quotes are not handled though...

Actually, the best for me would be to find out how to use your "function db_safe" for my array "$_POST" : can you help me on that ?

Re: Auto-writing formular and "magic" quotes

Posted: Sun Oct 19, 2008 8:12 am
by neeteex
This it it ! Thanks Jaoude !

Code: Select all

<?php
$this_script = basename($_SERVER['PHP_SELF']); // makes sure to use this script's name
 
if ( !empty($_POST) )
    {
    echo 'processing...';
    if(get_magic_quotes_gpc())
        $_POST = array_map('stripslashes', $_POST); // magic quotes are off
    
    
    function web_safe($data) {
        // 1. remove white spaces (trim)
        // 2. remove any html (strip_tags)
        // 3. remove any escape slashes put infront of quotes by magic quotes (stripslashes)
        // 4. encode all special characters i.e. double quotes, single quotes, ampersands, symbols etc (htmlentities) - no need to decode when pulling data out of database. browser will automatically use doctype to decode
        $safe_data = htmlentities(stripslashes(trim($data)), ENT_QUOTES);
        return $safe_data;
    }
    foreach ($_POST as $k=>$v) {
        $_POST[$k] = web_safe($v);
    } // make POST safer
    
    
    $old = '$value = array (
    "other_values" => "other_contents",
    "feedback_message" => "but I'm the best");';
 
    $new = '$value = array (
    "other_values" => "other_contents",
    "feedback_message" => "' . $_POST["feedback_message"] . '");';
 
    // this will re-new the content of the value array in memory ($modif_content)
    $content=file_get_contents($this_script);   
    $modif_content = str_replace($old, $new, $content);
 
    // open and change (write) memorised string into file / does not work with file_put_contents($file2, $modif_content);
    $file2=fopen($this_script,'w+');
    fwrite($file2,$modif_content);
    fclose($file2);
 
    echo "<meta http-equiv='refresh' content='0';URL=" . $this_script . "?refresh=1'>"; //reload with new values
}
else
{
 
    $value = array (
    "other_values" => "other_contents",
    "feedback_message" => "but I'm the best");
 
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" >
    <head>
        <title><?php echo $this_script ?></title>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    </head>
    <body>
        <form method="post" action="<?php echo $this_script ?>">
           <p>
               <label for="feedback_message">What is your message ?</label><br />
               <textarea name="feedback_message" id="feedback_message" cols="120" rows="4"><?php echo $value["feedback_message"]; ?></textarea>        
                <input type="submit" value="submit"/> 
           </p>
        </form>
    </body>
</html>
<?php
}
?>
 

Re: Auto-writing formular and "magic" quotes

Posted: Sun Oct 19, 2008 8:27 am
by jaoudestudios
No problem :)

Re: Auto-writing formular and "magic" quotes

Posted: Mon Oct 20, 2008 2:15 am
by neeteex
Just one more step that has noting to do about "magic quotes" but relates to Auto-writing formular : the above code seemed heavy, if it was used with a big $value array. I changed it for this one, where

Code: Select all

$value = array ( 'feedback_message' => 'hello', ) ;
 
$old = Var_export($value, true); // this gives the string definition to $value
$new = Var_export($_POST, true); //$_POST will define the new $value
But this did not work ! I can't figure out why this would be different... In the above, the "echo" shows that

Code: Select all

str_replace($old, $new, $content);
 
should change $value = [old values] into $value = [new values] and for some reason this does not works !

<?php
$this_script = basename($_SERVER['PHP_SELF']); // makes sure to use this script's name

$value = array ( 'feedback_message' => 'hello', ) ;

if ( !empty($_POST) )
{
echo 'processing...';
if(get_magic_quotes_gpc())
$_POST = array_map('stripslashes', $_POST); // magic quotes are off

function web_safe($data) {
// 1. remove white spaces (trim)
// 2. remove any html (strip_tags)
// 3. remove any escape slashes put infront of quotes by magic quotes (stripslashes)
// 4. encode all special characters i.e. double quotes, single quotes, ampersands, symbols etc (htmlentities) - no need to decode when pulling data out of database. browser will automatically use doctype to decode
$safe_data = htmlentities(stripslashes(trim($data)), ENT_QUOTES);
return $safe_data;
}
foreach ($_POST as $k=>$v) {
$_POST[$k] = web_safe($v);
} // make POST safer

echo '<br /> changing : <br />';
$old = Var_export($value, true); // this gives the string definition to $value
echo $old;

echo '<br /> into : <br />';
$new = Var_export($_POST, true); //$_POST will define the new $value
echo $new;

// this will re-new the content of the value array in memory ($modif_content)
$content=file_get_contents($this_script);
$modif_content = str_replace($old, $new, $content);

// open and change (write) memorised string into file / does not work with file_put_contents($file2, $modif_content);
$file2=fopen($this_script,'w+');
fwrite($file2,$modif_content);
fclose($file2);

echo "<meta http-equiv='refresh' content='0';URL=" . $this_script . "?refresh=1'>"; //reload with new values
}
else
{

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" >
<head>
<title><?php echo $this_script ?></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<form method="post" action="<?php echo $this_script ?>">
<p>
<label for="feedback_message">What is your message ?</label><br />
<textarea name="feedback_message" id="feedback_message" cols="120" rows="4"><?php echo $value["feedback_message"]; ?></textarea>
<input type="submit" value="submit"/>
</p>
</form>
</body>
</html>
<?php
}
?>