RE: [PHP] addSlashes Question

2007-08-07 Thread Richard Lynch 
On Wed, August 1, 2007 3:27 pm, Jay Blanchard wrote:
 [snip]

  $first = '.addslashes($_POST['firstname']).';
  $last = '.addslashes($_POST['lastname']).';
  $email = '.addslashes($_POST['email']).';
  $address = '.addslashes($_POST['address']).';
  $city = '.addslashes($_POST['city']).';
  $state = '.addslashes($_POST['state']).';
  $zip = '.addslashes($_POST['zip']).';
  $comments = '.addslashes($_POST['comments']).';
  $newsletter = '.addslashes($_POST['signup']).';
  $contact = '.addslashes($_POST['contact']).';


 I can understand addSlashes for the first and last name, but question
 the need in the other variables, please inform.
 [/snip]

 There is safety in numbers! While a lot of these fields may not ever
 contain anything that would need to be escaped the name fields and
 comments field would definitely need this. Also, if this is filled out
 by 'external' users you do not want them to be able to enter anything
 (like a SQL injection attack in the comments field) that might cause a
 problem of some sort. Another option would be htmlentities()

addslashes is the old, wrong, not-ready-for-international-charset
prime time version of http://php.net/mysql_real_escape_string.  Change
addslashes to that.

htmlentities is for BROWSER OUTPUT and has zip to do with validation.
But you would want to use it if you were outputting the data to the
browser at some later date.

And, finally, you need to escape ALL data going to MySQL because you
don't KNOW that a Bad Guy isn't trying to cram all sorts of mean and
evil stuff into all your fields.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] addSlashes Question

2007-08-01 Thread CK 

Hi,

Engaged in cleanup project, attempting to understand the  
uncommented decisions of  predecessors.  Inserting the following  
contact form values into a DB:



$first = '.addslashes($_POST['firstname']).';
$last = '.addslashes($_POST['lastname']).';
$email = '.addslashes($_POST['email']).';
$address = '.addslashes($_POST['address']).';
$city = '.addslashes($_POST['city']).';
$state = '.addslashes($_POST['state']).';
$zip = '.addslashes($_POST['zip']).';
$comments = '.addslashes($_POST['comments']).';
$newsletter = '.addslashes($_POST['signup']).';
$contact = '.addslashes($_POST['contact']).';


I can understand addSlashes for the first and last name, but question  
the need in the other variables, please inform.


CK

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] addSlashes Question

2007-08-01 Thread Jay Blanchard 
[snip]

 $first = '.addslashes($_POST['firstname']).';
 $last = '.addslashes($_POST['lastname']).';
 $email = '.addslashes($_POST['email']).';
 $address = '.addslashes($_POST['address']).';
 $city = '.addslashes($_POST['city']).';
 $state = '.addslashes($_POST['state']).';
 $zip = '.addslashes($_POST['zip']).';
 $comments = '.addslashes($_POST['comments']).';
 $newsletter = '.addslashes($_POST['signup']).';
 $contact = '.addslashes($_POST['contact']).';


I can understand addSlashes for the first and last name, but question  
the need in the other variables, please inform.
[/snip]

There is safety in numbers! While a lot of these fields may not ever
contain anything that would need to be escaped the name fields and
comments field would definitely need this. Also, if this is filled out
by 'external' users you do not want them to be able to enter anything
(like a SQL injection attack in the comments field) that might cause a
problem of some sort. Another option would be htmlentities()

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] addSlashes Question

2007-08-01 Thread Jim Lucas 

CK wrote:

Hi,

Engaged in cleanup project, attempting to understand the uncommented 
decisions of  predecessors.  Inserting the following contact form values 
into a DB:



$first = '.addslashes($_POST['firstname']).';
$last = '.addslashes($_POST['lastname']).';
$email = '.addslashes($_POST['email']).';
$address = '.addslashes($_POST['address']).';
$city = '.addslashes($_POST['city']).';
$state = '.addslashes($_POST['state']).';
$zip = '.addslashes($_POST['zip']).';
$comments = '.addslashes($_POST['comments']).';
$newsletter = '.addslashes($_POST['signup']).';
$contact = '.addslashes($_POST['contact']).';


I can understand addSlashes for the first and last name, but question 
the need in the other variables, please inform.


CK



More than likely what they were trying to do is prep/escape the data for 
insertion into the DB.

a better thing to use would be the actually DB escape function.

Mysql  http://us2.php.net/mysql_real_escape_string

Other DB implementations have similar functions

This will escape the data for insertion into a DB, but do it on all chars that needed to be escaped. 
 Where addSlashes() works on only a subset of most of the chars that need escaping.



--
Jim Lucas

   Some men are born to greatness, some achieve greatness,
   and some have greatness thrust upon them.

Twelfth Night, Act II, Scene V
by William Shakespeare

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] addSlashes Question

2007-08-01 Thread Robert Cummings 
On Wed, 2007-08-01 at 13:20 -0700, CK wrote:
 Hi,
 
 Engaged in cleanup project, attempting to understand the  
 uncommented decisions of  predecessors.  Inserting the following  
 contact form values into a DB:
 
 
  $first = '.addslashes($_POST['firstname']).';
  $last = '.addslashes($_POST['lastname']).';
  $email = '.addslashes($_POST['email']).';
  $address = '.addslashes($_POST['address']).';
  $city = '.addslashes($_POST['city']).';
  $state = '.addslashes($_POST['state']).';
  $zip = '.addslashes($_POST['zip']).';
  $comments = '.addslashes($_POST['comments']).';
  $newsletter = '.addslashes($_POST['signup']).';
  $contact = '.addslashes($_POST['contact']).';
 
 
 I can understand addSlashes for the first and last name, but question  
 the need in the other variables, please inform.

ALWAYS escape user submitted data. Just because you expect a certain
input doesn't mean some Mr. Malicious posted it to your form. That said,
addSlashes() is insecure for database queries. You should use the
database specific escape function to properly escape content that is DB
bound.

Cheers,
Rob.
-- 
...
SwarmBuy.com - http://www.swarmbuy.com

Leveraging the buying power of the masses!
...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] addslashes Question

2001-03-21 Thread Jeff Oien 

I have a form to modify a record in a MySQL database. 
The record contains this:
3" Brush
The code in question is like this:
while ($row = mysql_fetch_array($result)) {
$desc1 = $row['desc1'];
--
input type="text" name="desc1" value="?php echo "$desc1"; ?"

I've tried using addslashes to the variable in various ways and it
always returns:
3\
What am I doing wrong? Sorry this is probably the 1000th time
this has been asked.
Jeff Oien

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] addslashes Question

2001-03-21 Thread Tobias Talltorp 

This seems to be more of a HTML problem.
Form fields simply canĀ“t print out ". You need to change the " to quot; in
order for it to appear.
This can be done using the function htmlspecialchars():
http://www.php.net/manual/en/function.htmlspecialchars.php

In your case:
?php echo htmlspecialchars("$desc1"); ?"

You can test these two things to see the difference:
1. input type="text" name="name" value="this has a quot;"
2. input type="text" name="name" value="this does not have a ""

// Tobias

""Jeff Oien"" [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I have a form to modify a record in a MySQL database.
 The record contains this:
 3" Brush
 The code in question is like this:
 while ($row = mysql_fetch_array($result)) {
 $desc1 = $row['desc1'];
 --
 input type="text" name="desc1" value="?php echo "$desc1"; ?"

 I've tried using addslashes to the variable in various ways and it
 always returns:
 3\
 What am I doing wrong? Sorry this is probably the 1000th time
 this has been asked.
 Jeff Oien

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] addslashes Question

2001-03-21 Thread Hardy Merrill 

Jeff, here's what I do:

  1. set magic_quotes_gpc On in php.ini
   * this will automatically quote all GET, POST, and COOKIE
 variables - read up on magic_quotes_gpc.

  2. at the top of each script, stripslashes all the COOKIE, GET,
 and POST variables, since they will have been automatically
 quoted by magic_quotes_gpc.

  3. At the top of the the routine that INSERT's or UPDATE's fields
 in the database, for all string variables invoke addslashes -
 this will properly quote all characters(I think there's only 4
 - single quote, double quote, NULL character, and I can't
 remember what the 4th one is - look at the manual under
 "addslashes").  Then you can INSERT or UPDATE the columns with
 those addslash'ed values.

There's many different ways to do this, but this is what works best
for me.

-- 
Hardy Merrill
Mission Critical Linux, Inc.
http://www.missioncriticallinux.com

Jeff Oien [[EMAIL PROTECTED]] wrote:
 I have a form to modify a record in a MySQL database. 
 The record contains this:
 3" Brush
 The code in question is like this:
 while ($row = mysql_fetch_array($result)) {
   $desc1 = $row['desc1'];
 --
 input type="text" name="desc1" value="?php echo "$desc1"; ?"
 
 I've tried using addslashes to the variable in various ways and it
 always returns:
 3\
 What am I doing wrong? Sorry this is probably the 1000th time
 this has been asked.
 Jeff Oien
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]

-- 
Hardy Merrill
Mission Critical Linux, Inc.
http://www.missioncriticallinux.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]