properly unescaping $_POST and $_GET

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
philentropist
Forum Newbie
Posts: 9
Joined: Wed Jan 16, 2008 7:59 pm

properly unescaping $_POST and $_GET

Post by philentropist »

I've noticed that if a user enters a single or double quote into a HTML form that is then submitted via POST or GET to a php script, the quotes are escaped with a slash. Does stripslashes() properly unescape these values? If there are escape sequences that it misses or incorrectly changes, it could pose a security risk. Thanks in advance for your help, and I have posted a snippet to demonstrate the issue below.

Code: Select all

 
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input name="var" value="<?php echo $_POST['var']; ?>" />
<input type="submit" />
</form>
 
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: properly unescaping $_POST and $_GET

Post by kaisellgren »

You have Magic Quotes enabled. Disable them. All they do is that they add slashes in front of a few characters and do that all transparently.

Also, your script is vulnerable to XSS.
Post Reply