properly unescaping $_POST and $_GET
Posted: Tue Mar 24, 2009 12:17 pm
I've noticed that if a user enters a single or double quote into a HTML form that is then submitted via POST or GET to a php script, the quotes are escaped with a slash. Does stripslashes() properly unescape these values? If there are escape sequences that it misses or incorrectly changes, it could pose a security risk. Thanks in advance for your help, and I have posted a snippet to demonstrate the issue below.
Code: Select all
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input name="var" value="<?php echo $_POST['var']; ?>" />
<input type="submit" />
</form>