RE: [PHP] addslash/stripslashes
When putting strings into form values (and maybe other places too), I would
advise wrapping the variable in:
htmlentities();
so this:
would become this:
and magically watch all your troubles melt away - well maybe not ALL your
troubles, but at least the trouble as mentioned below...
If you want to add PHP strings to JavaScript code, use addslashes() instead
- it's as easy as that... :)
Martin
-Original Message-
From: TD - Sales International Holland B.V. [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 20, 2001 7:41 AM
To: Don Read
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] addslash/stripslashes
On Wednesday 19 December 2001 13:12, you wrote:
"test\"" === 'test"' evals true :-)
what I don't get however, the second the var is set like
$string = "escaping \" quotes";
the backslash dissapears in the variable. The backslash is no longer there
thus so having the statement
mysql_query("insert into table values(\"$string\")");
would be interpreted:
mysql_query("insert into table values(\"test"\")");
in which case the quote shouldn't appear in the database cause it will see
that as delimiter of the first one, however I think the mysql_query fixes
this by adding a backslash to it which is interpreted by mysql again cause
it
doesn't store the backslash. The only problem i still have is HTML. If i
insert quotes into a field and retrieve them for my form like this:
the value will stop at the first quote in the string dropping the rest on
the
floor since it doesn't recognize is (most likely) as a tag. So there an
exploit there (only HTML/Javascript though not PHP) since you could insert a
field like
value">
Re: [PHP] addslash/stripslashes
On 19-Dec-2001 TD - Sales International Holland B.V. wrote:
> On Wednesday 19 December 2001 13:12, you wrote:
>
> "test\"" === 'test"' evals true :-)
> what I don't get however, the second the var is set like
> $string = "escaping \" quotes";
> the backslash dissapears in the variable. The backslash is no longer there
> thus so having the statement
>
> mysql_query("insert into table values(\"$string\")");
> would be interpreted:
> mysql_query("insert into table values(\"test"\")");
> in which case the quote shouldn't appear in the database cause it will see
> that as delimiter of the first one, however I think the mysql_query fixes
> this by adding a backslash to it which is interpreted by mysql again cause
> it
> doesn't store the backslash. The only problem i still have is HTML. If i
> insert quotes into a field and retrieve them for my form like this:
>
> the value will stop at the first quote in the string dropping the rest on
> the
> floor since it doesn't recognize is (most likely) as a tag. So there an
> exploit there (only HTML/Javascript though not PHP) since you could insert a
> field like
> value"> here>
> so i need to fix that. otherwise it goes fine. normally i'd understand this
> perfectly but with all these magic quotes and the mysql functions
> appearantly
> adding the backslashes for escaping and PHP automatically type casting of
> variables it has become vague as hell to me :/
>
> thanks for the help so far people, the sky is finally clearing up :-)
>
Where possible, I'll use single quoting to avoid chasing down silly escape
errors:
mysql_query("insert into table values('$string')");
Try it. Makes life easier.
Regards,
--
Don Read [EMAIL PROTECTED]
-- It is necessary for me to learn from others' mistakes. I
will not live long enough to make them all by myself.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] addslash/stripslashes
On Wednesday 19 December 2001 13:12, you wrote:
"test\"" === 'test"' evals true :-)
what I don't get however, the second the var is set like
$string = "escaping \" quotes";
the backslash dissapears in the variable. The backslash is no longer there
thus so having the statement
mysql_query("insert into table values(\"$string\")");
would be interpreted:
mysql_query("insert into table values(\"test"\")");
in which case the quote shouldn't appear in the database cause it will see
that as delimiter of the first one, however I think the mysql_query fixes
this by adding a backslash to it which is interpreted by mysql again cause it
doesn't store the backslash. The only problem i still have is HTML. If i
insert quotes into a field and retrieve them for my form like this:
the value will stop at the first quote in the string dropping the rest on the
floor since it doesn't recognize is (most likely) as a tag. So there an
exploit there (only HTML/Javascript though not PHP) since you could insert a
field like
value">
Re: [PHP] addslash/stripslashes
At 09:49 PM 12/18/2001 +0100, TD - Sales International Holland B.V. wrote: >Also I'm looking for a small feature of HTML. I know this isn't the right >list so if you guys don't reply no hard feelings. At this moment I use meta >to refresh (go back to the form) after entering the data, you'll see a page >that it's succeeded (or failed for that matter) and than after 3 secs you'll >go back to the main empty form. However, I'd like to know a way other than >meta, since when an error occurs it can happen the HTML header is already >printed out and thus I can't use the meta tag anymore. I was thinking about >javascript or something but other ways are welcome since javascript can be >disabled in the browser. Unless I'm misunderstanding you, something like: http://www.php.net/";); ?> should do the trick. No need to mess with meta refresh tags. Have your form post to itself and at the top of the page do your data validation. If the validation failed, set an error string and display it at the top of the form. Otherwise, use the header() function to direct them to the next page on your site. The only drawback is that if you need variables on the next page you'll have to pass them as an URL parameter... http://www.php.net/manual/en/function.header.php - Michael Sims mhsims at midsouth dot rr dot com "The Web site you seek Can not be located but Countless more exist." - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] addslash/stripslashes
On 18-Dec-2001 TD - Sales International Holland B.V. wrote:
> Hey there,
>
> I was once told I need to use addslashes and stripslashes on data I get from
> the web and insert into the database. I'd like to know why?!?! See I know
> that with other languages you could use special chars to hack/crack the
> database, but even without add/strip slashes I can't seem to manage I
> have a text field I inserted into the database and I entered stuff like
> this:
> ~!@#$%^&*()_+~!@#$%^&*()_+|\\||\[]{};:'".>, since quotes n stuff aren't nicely closed now I'd expect an error if this
> was
> crack/hackable however it just inserts fine without any problems whatsoever.
> I'm using PHP 4.0.6 and MySQL 4.23.43 (I think haven't checked...) Also when
> I go to the page where the data is retrieved from the database and put in
> HTML I see EXACTLY what I entered. So it doesn't appear to me I'd need these
> add/strip slashes functions. Any comments would be greatly appreciated.
>
Check your 'magic_quotes_gpc', it might explain it.
Regards,
--
Don Read [EMAIL PROTECTED]
-- It is necessary for me to learn from others' mistakes. I
will not live long enough to make them all by myself.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] addslash/stripslashes
Hey there,
I was once told I need to use addslashes and stripslashes on data I get from
the web and insert into the database. I'd like to know why?!?! See I know
that with other languages you could use special chars to hack/crack the
database, but even without add/strip slashes I can't seem to manage I
have a text field I inserted into the database and I entered stuff like this:
~!@#$%^&*()_+~!@#$%^&*()_+|\\||\[]{};:'".>,http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
