Page 1 of 1

properly unescaping $_POST and $_GET

Posted: Tue Mar 24, 2009 12:17 pm
by philentropist
I've noticed that if a user enters a single or double quote into a HTML form that is then submitted via POST or GET to a php script, the quotes are escaped with a slash. Does stripslashes() properly unescape these values? If there are escape sequences that it misses or incorrectly changes, it could pose a security risk. Thanks in advance for your help, and I have posted a snippet to demonstrate the issue below.

Code: Select all

 
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input name="var" value="<?php echo $_POST['var']; ?>" />
<input type="submit" />
</form>
 

Re: properly unescaping $_POST and $_GET

Posted: Tue Mar 24, 2009 1:09 pm
by kaisellgren
You have Magic Quotes enabled. Disable them. All they do is that they add slashes in front of a few characters and do that all transparently.

Also, your script is vulnerable to XSS.