stripslashes

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
thatsme
Forum Commoner
Posts: 87
Joined: Sat Apr 07, 2007 2:18 am

stripslashes

Post by thatsme »

Hello,

Code: Select all

 
$act=$_POST['submit'];
 
if(empty($act))
  $act='form';
 
if($act=='post')
{
  $mistake=array();
  $name = $_POST['name'];
  $desc = $_POST['desc'];
  
  if(empty($name))
   array_push($mistake, 'Name is empty');
  if(empty($desc))
   array_push($mistake, 'Desc is empty');
  
  if(count($mistake) >0)
  {
   $mistake_message="<table>";
   foreach($mistake as $m)
   { 
    $mistake_message.="<tr><td>$m</td></tr>";
   }
   $mistake_message.="</table>";
   $act='form';
  }
 else
 {
  if(!get_magic_quotes_gpc)
  {
    $name = addslashes($name);
    $desc = addslashes($desc);
  }
  {
    //nothing 
  }
  
 //insert into db
 
}
}
 
if($act == 'form')
{
  //if error then show these values
  $name = htmlspecialchars(stripslashes($name), ENT_QUOTES);
   $desc = htmlspecialchars(stripslashes($desc));
 
   
  echo "$mistake_message
<form method='post' action='members.php'>
        <input type='text' name='name' value='$name'>
        <textarea name='desc'>$desc</textarea>"
<input type='submit' name='submit' value='post'>;
}
 
I looked at, http://in.php.net/stripslashes and tried the above code, I would like to know if any modifications that has to be done to avoid problems of inserting names like O'reilly and displaying in textfield and in textarea.

Thanks
Last edited by thatsme on Fri Feb 15, 2008 9:24 pm, edited 1 time in total.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: stripslashes

Post by RobertGonzalez »

Are you talking about for a database insert? Yes, there will be problems with your code.

Please clarify what your intent is.
thatsme
Forum Commoner
Posts: 87
Joined: Sat Apr 07, 2007 2:18 am

Re: stripslashes

Post by thatsme »

Thanks for replying.
Are you talking about for a database insert? Yes, there will be problems with your code.

Please clarify what your intent is.
I am not asking about sql injection. I am concerned with displaying the data. If i type Oriely's in textarea or in textbox and if an error occurs for some reason the control come back and shows the form. In the form it should display the same data which i typed (it should not add extra \ and i also observed the characters after ' character disappear). So i tried,

Code: Select all

//for text $name = htmlspecialchars(stripslashes($name), ENT_QUOTES);   //for textarea $desc = htmlspecialchars(stripslashes($desc));
.
If i insert into database, the data should be inserted correctly. In the same way i should be able to extract those data from database and display in the samefield (I will be using the same form for editing).


Thanks
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: stripslashes

Post by RobertGonzalez »

You might to check against magic quotes being on. I think the function you want is get_magic_quotes_gpc().
thatsme
Forum Commoner
Posts: 87
Joined: Sat Apr 07, 2007 2:18 am

Re: stripslashes

Post by thatsme »

You might to check against magic quotes being on. I think the function you want is get_magic_quotes_gpc().
I have allready doing it before inserting into database.

Code: Select all

 
..... 
 if(!get_magic_quotes_gpc)
  {
    $name = addslashes($name);
    $desc = addslashes($desc);
  }
   {
    //nothing
   }
  
  //insert into db
  
 }
..........
 
Should i have to do the same before displaying? like,

Code: Select all

 
 if($act == 'form')
 {
   //if error then show these values
 
    if(get_magic_quotes_gpc){ // iam checking for magic quotes
      $name = htmlspecialchars(stripslashes($name), ENT_QUOTES);
      $desc = htmlspecialchars(stripslashes($desc));
  }
    
   echo "$mistake_message
 <form method='post' action='members.php'>
        <input type='text' name='name' value='$name'>
        <textarea name='desc'>$desc</textarea>"
 <input type='submit' name='submit' value='post'>;
 }
 
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: stripslashes

Post by RobertGonzalez »

Are you adding the opening and closing parentheses at the get_magic_quotes_gpc()?
thatsme
Forum Commoner
Posts: 87
Joined: Sat Apr 07, 2007 2:18 am

Re: stripslashes

Post by thatsme »

Are you adding the opening and closing parentheses at the get_magic_quotes_gpc()?
No. I modified now. Now is it OK?

Code: Select all

 
 .....
 if(!get_magic_quotes_gpc())  //corrected
   {
     $name = addslashes($name);
     $desc = addslashes($desc);
  }
    {
     //nothing
    }
  
   //insert into db
  
  }
 
 
if($act == 'form')
  {
    //if error then show these values
 
    if(get_magic_quotes_gpc()){ // iam checking for magic quotes.  Corrected code
      $name = htmlspecialchars(stripslashes($name), ENT_QUOTES);
      $desc = htmlspecialchars(stripslashes($desc));
  }
   
    echo "$mistake_message
 <form method='post' action='members.php'>
        <input type='text' name='name' value='$name'>
       <textarea name='desc'>$desc</textarea>"
  <input type='submit' name='submit' value='post'>;
  }
 
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: stripslashes

Post by RobertGonzalez »

That should work. In this case a simple test using var_dump() could give you more information than we could here.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: stripslashes

Post by Mordred »

1. (re: "//insert into db") Avoid using addslashes. It is inadequate for protection against SQL injection in many cases.
2. Your code will be insecure if magic_quotes is off.
3. Always specify correct encoding in htmlspecialchars (and there's no hurt in always using ENT_QUOTES as well)
Post Reply