Form Input => Question Inside...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Form Input => Question Inside...

Post by seodevhead »

Hey guys, do I need to do any escaping (like htmlentities() ) when I have a form field input re-displayed when say the user miscorrectly fills something out. In other words... this is what I have:

Code: Select all

<input type="text" name="username" size="15" maxlength="15" value="<?php
	if (isset($_POST['username'])) echo $_POST['username']; ?>" />
Should I be using htmlentities() around the $_POST['username'] variable?? Is any escaping needed when displaying input within a field form element? Thanks for your advice!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

yes.
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

I don't need to addslashes() do I? Just htmlentities right?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

addslashes() will do nothing but hurt in this case. htmlentities() is the only thing required most often.
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

Thanks a ton feyd! Much oblige!
cknudsen
Forum Newbie
Posts: 3
Joined: Tue Feb 21, 2006 9:48 pm
Location: Fredericksburg, VA

stripslashes

Post by cknudsen »

Actually, if you have magic_quotes_gpc enabled in your php.ini, you may want to call stripslashes() in addition to htmlentities(). If not, then just htmlentities().
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

to get rid of any slashes added if magic qoutes are enabled see the funtion I gave here
You can include this in the top of every script. Then you never have to use stripslashes or addslashes anymore.

If you would like to read some more about the trouble with magic quotes (and therefore addslashes/stripslashes) see http://www.sitepoint.com/blogs/2005/03/ ... headaches/

Understanding well how and why magic quotes and functions like addslashes, stripslashes, htmlentities etc work, prevents a lot of frustration.
Post Reply