RE: [PHP] addSlashes Question
On Wed, August 1, 2007 3:27 pm, Jay Blanchard wrote: [snip] $first = '.addslashes($_POST['firstname']).'; $last = '.addslashes($_POST['lastname']).'; $email = '.addslashes($_POST['email']).'; $address = '.addslashes($_POST['address']).'; $city = '.addslashes($_POST['city']).'; $state = '.addslashes($_POST['state']).'; $zip = '.addslashes($_POST['zip']).'; $comments = '.addslashes($_POST['comments']).'; $newsletter = '.addslashes($_POST['signup']).'; $contact = '.addslashes($_POST['contact']).'; I can understand addSlashes for the first and last name, but question the need in the other variables, please inform. [/snip] There is safety in numbers! While a lot of these fields may not ever contain anything that would need to be escaped the name fields and comments field would definitely need this. Also, if this is filled out by 'external' users you do not want them to be able to enter anything (like a SQL injection attack in the comments field) that might cause a problem of some sort. Another option would be htmlentities() addslashes is the old, wrong, not-ready-for-international-charset prime time version of http://php.net/mysql_real_escape_string. Change addslashes to that. htmlentities is for BROWSER OUTPUT and has zip to do with validation. But you would want to use it if you were outputting the data to the browser at some later date. And, finally, you need to escape ALL data going to MySQL because you don't KNOW that a Bad Guy isn't trying to cram all sorts of mean and evil stuff into all your fields. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] addSlashes Question
Hi, Engaged in cleanup project, attempting to understand the uncommented decisions of predecessors. Inserting the following contact form values into a DB: $first = '.addslashes($_POST['firstname']).'; $last = '.addslashes($_POST['lastname']).'; $email = '.addslashes($_POST['email']).'; $address = '.addslashes($_POST['address']).'; $city = '.addslashes($_POST['city']).'; $state = '.addslashes($_POST['state']).'; $zip = '.addslashes($_POST['zip']).'; $comments = '.addslashes($_POST['comments']).'; $newsletter = '.addslashes($_POST['signup']).'; $contact = '.addslashes($_POST['contact']).'; I can understand addSlashes for the first and last name, but question the need in the other variables, please inform. CK -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] addSlashes Question
[snip] $first = '.addslashes($_POST['firstname']).'; $last = '.addslashes($_POST['lastname']).'; $email = '.addslashes($_POST['email']).'; $address = '.addslashes($_POST['address']).'; $city = '.addslashes($_POST['city']).'; $state = '.addslashes($_POST['state']).'; $zip = '.addslashes($_POST['zip']).'; $comments = '.addslashes($_POST['comments']).'; $newsletter = '.addslashes($_POST['signup']).'; $contact = '.addslashes($_POST['contact']).'; I can understand addSlashes for the first and last name, but question the need in the other variables, please inform. [/snip] There is safety in numbers! While a lot of these fields may not ever contain anything that would need to be escaped the name fields and comments field would definitely need this. Also, if this is filled out by 'external' users you do not want them to be able to enter anything (like a SQL injection attack in the comments field) that might cause a problem of some sort. Another option would be htmlentities() -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addSlashes Question
CK wrote: Hi, Engaged in cleanup project, attempting to understand the uncommented decisions of predecessors. Inserting the following contact form values into a DB: $first = '.addslashes($_POST['firstname']).'; $last = '.addslashes($_POST['lastname']).'; $email = '.addslashes($_POST['email']).'; $address = '.addslashes($_POST['address']).'; $city = '.addslashes($_POST['city']).'; $state = '.addslashes($_POST['state']).'; $zip = '.addslashes($_POST['zip']).'; $comments = '.addslashes($_POST['comments']).'; $newsletter = '.addslashes($_POST['signup']).'; $contact = '.addslashes($_POST['contact']).'; I can understand addSlashes for the first and last name, but question the need in the other variables, please inform. CK More than likely what they were trying to do is prep/escape the data for insertion into the DB. a better thing to use would be the actually DB escape function. Mysql http://us2.php.net/mysql_real_escape_string Other DB implementations have similar functions This will escape the data for insertion into a DB, but do it on all chars that needed to be escaped. Where addSlashes() works on only a subset of most of the chars that need escaping. -- Jim Lucas Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them. Twelfth Night, Act II, Scene V by William Shakespeare -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addSlashes Question
On Wed, 2007-08-01 at 13:20 -0700, CK wrote: Hi, Engaged in cleanup project, attempting to understand the uncommented decisions of predecessors. Inserting the following contact form values into a DB: $first = '.addslashes($_POST['firstname']).'; $last = '.addslashes($_POST['lastname']).'; $email = '.addslashes($_POST['email']).'; $address = '.addslashes($_POST['address']).'; $city = '.addslashes($_POST['city']).'; $state = '.addslashes($_POST['state']).'; $zip = '.addslashes($_POST['zip']).'; $comments = '.addslashes($_POST['comments']).'; $newsletter = '.addslashes($_POST['signup']).'; $contact = '.addslashes($_POST['contact']).'; I can understand addSlashes for the first and last name, but question the need in the other variables, please inform. ALWAYS escape user submitted data. Just because you expect a certain input doesn't mean some Mr. Malicious posted it to your form. That said, addSlashes() is insecure for database queries. You should use the database specific escape function to properly escape content that is DB bound. Cheers, Rob. -- ... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] addslashes Question
I have a form to modify a record in a MySQL database. The record contains this: 3" Brush The code in question is like this: while ($row = mysql_fetch_array($result)) { $desc1 = $row['desc1']; -- input type="text" name="desc1" value="?php echo "$desc1"; ?" I've tried using addslashes to the variable in various ways and it always returns: 3\ What am I doing wrong? Sorry this is probably the 1000th time this has been asked. Jeff Oien -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] addslashes Question
This seems to be more of a HTML problem. Form fields simply canĀ“t print out ". You need to change the " to quot; in order for it to appear. This can be done using the function htmlspecialchars(): http://www.php.net/manual/en/function.htmlspecialchars.php In your case: ?php echo htmlspecialchars("$desc1"); ?" You can test these two things to see the difference: 1. input type="text" name="name" value="this has a quot;" 2. input type="text" name="name" value="this does not have a "" // Tobias ""Jeff Oien"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a form to modify a record in a MySQL database. The record contains this: 3" Brush The code in question is like this: while ($row = mysql_fetch_array($result)) { $desc1 = $row['desc1']; -- input type="text" name="desc1" value="?php echo "$desc1"; ?" I've tried using addslashes to the variable in various ways and it always returns: 3\ What am I doing wrong? Sorry this is probably the 1000th time this has been asked. Jeff Oien -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] addslashes Question
Jeff, here's what I do: 1. set magic_quotes_gpc On in php.ini * this will automatically quote all GET, POST, and COOKIE variables - read up on magic_quotes_gpc. 2. at the top of each script, stripslashes all the COOKIE, GET, and POST variables, since they will have been automatically quoted by magic_quotes_gpc. 3. At the top of the the routine that INSERT's or UPDATE's fields in the database, for all string variables invoke addslashes - this will properly quote all characters(I think there's only 4 - single quote, double quote, NULL character, and I can't remember what the 4th one is - look at the manual under "addslashes"). Then you can INSERT or UPDATE the columns with those addslash'ed values. There's many different ways to do this, but this is what works best for me. -- Hardy Merrill Mission Critical Linux, Inc. http://www.missioncriticallinux.com Jeff Oien [[EMAIL PROTECTED]] wrote: I have a form to modify a record in a MySQL database. The record contains this: 3" Brush The code in question is like this: while ($row = mysql_fetch_array($result)) { $desc1 = $row['desc1']; -- input type="text" name="desc1" value="?php echo "$desc1"; ?" I've tried using addslashes to the variable in various ways and it always returns: 3\ What am I doing wrong? Sorry this is probably the 1000th time this has been asked. Jeff Oien -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Hardy Merrill Mission Critical Linux, Inc. http://www.missioncriticallinux.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]