PHP - Sanitize Data Creates 3 Slashes

Hi all,

I just stumbled upon the 'new' filter function of php and i was wondering if someone could maybe recommend me which to use.

for instance if i have a script:

<?php
        $_evilstring = "<script> alert('justin bieber is ruining your sound system')</script>";

        $_clean1 = htmlspecialchars($_evilstring);
        echo 'clean string one = '.$_clean1.'<br />';
        $_clean2 = filter_var($_evilstring, FILTER_SANITIZE_SPECIAL_CHARS);
        echo 'clean string two = '.$_clean2.'<br />';
        ?>


Both output exactly the same. Now i was wondering if there might be differences in them. For some reason I would like to use the filter function because the name sounds better, but that of course is not very scientific. Anyone with ideas maybe performance, speed, wickedness??

Folks this one line and any other variations I have tried just nulls my variable

Code: [Select]
function check_input($value)
{
echo '<pre>';
echo "Value before = ";
echo $value;
echo '</pre>';
// Stripslashes
//if (get_magic_quotes_gpc())
//   {
//   $value = stripslashes($value);
//   }
// Quote if not a number
//if (!is_numeric($value))
//   {
   $value = "'" . mysql_real_escape_string($value) . "'";   <-----
//$value = mysql_real_escape_string($value);
//$value = mysql_real_escape_string($value);
echo '<pre>';
echo "Value after = ";
echo $value;
echo '</pre>';
//   }
return $value;
 }

...
// Make a safe SQL
 $iso_code = check_input($iso_code);
 $country_name = check_input($country_name);
      $query = "select * from countries where
            iso_code = '".$iso_code."' or country like '%".$country_name."%'";
      mysql_query($query);
 echo '<pre>';
 echo $iso_code;
 echo $country_name;
 echo $query;
 echo '</pre>';
The result is:-

Code: [Select]
Value before = UK
Value after = ''
Value before = United Kingdom
Value after = ''
''''select * from countries where
            iso_code = '''' or country like '%''%'

with no mysql_real_escape statement the app work fine. I'm now trying to make my code more robust.

Any help would be appreciated.

jamie

the problem is that when I add an item to be displayed in the blog, shows three instead, which two are empty.
It should not create three entries when I just add one entry. How can I fix this?

<?PHP
/* define the blog content file name */
$filename = "myBlogContent.txt";
?>




<?php
/* check to see if the file exists */
if (!file_exists($filename)) {

echo "The Blog Is Empty";

}else{

/* get the file lines into an array */

$BlogArray = file($filename);

/* count the number of blog entries */
$count = count($BlogArray);

$i=0;

while($i<$count) {

$new_array = explode("|", $BlogArray[$i]);

echo "Posted by: " . $new_array[1] . "<br>";

echo "Posted on: " .  date("m/d/y h:iA", time($new_array[0])) . "<br>"
echo 

"Title: " . $new_array[2] . "<br>";


echo $new_array[3] . "<hr>";


$i ++;


}
}
?>





<?PHP
/* obtain the form data */
$who = $_POST['who'];
$title = $_POST['title'];
$content = $_POST['content'];
$content = str_replace(array("\r\n", "\r", "\n"), "<br>", $content); 

/* create timestamp variable for current date and time */
$when_ts = time(); 

/* define the blog content file name */
$filename = "myBlogContent.txt";

/* prepare the variables for adding to the file */

$new_line_content = $when_ts . "|" . $who . "|" . $title . "|" . $content . "\n";

/* open the file in the APPEND MODE */
$fh = fopen($filename, 'a+') or die("can't open file");

/* add the new content */
fwrite($fh, $new_line_content); 

/* close the file */
fclose($fh); 

 
//exit; // Closes further script execution . 
?>

Hey all,

While the filter itself is functioning properly, the flag doesn't seem to be.

Here's how I have it set up:

Code: [Select]

$UserInput = filter_var($UserInput , FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW); // Test Format 1

$UserInput  = filter_input(INPUT_POST, 'UserInput', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);  // Test Format 2

As you can see, I have set up to test methods however, each one fails regarding the flag..or so it's seeming to me.

FILTER_FLAG_STRIP_LOW is supposed to strip out anything > 32 in ascii, but it isn't. '&' (38) is greater than 32 but it still displays in the browser.

Am I missing something here?

I have never looked into sanitizing before, Is using htmlentities() good enough to protect against sql injection ?

Thanks.

This topic has been moved to Third Party PHP Scripts.

http://www.phpfreaks.com/forums/index.php?topic=346794.0

Hi All I Am confused

I would like to put info into a database but need it to be secure. I have some code shown below. The problem is I would like to put in ' but keep the data secure.
When it comes back I do not want to show \' I think you might know what I am trying to do.
Here is the code but would like to know how to stop the \' showing.
Code: [Select]
$password = mysql_real_escape_string(stripslashes(trim($_POST['password'])));
Any help would be great thank you.

Hi:

Is this the proper way to remove slashes from apostrophes:
Code: [Select]
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{

$myTitle = mysql_real_escape_string(stripslashes($_POST['myTitle']));
$myDesc = mysql_real_escape_string(stripslashes($_POST['myDesc']));
$myHeader = mysql_real_escape_string(stripslashes($_POST['myHeader']));
$mySubHeader = mysql_real_escape_string(stripslashes($_POST['mySubHeader']));
$myPageData = mysql_real_escape_string(stripslashes($_POST['myPageData']));


It seems to work fine, I'd just like to clarify I'm not missing anything.

Thanks!

Hello Everyone,
I've been working with XAMPP 1.7.3 and have a general question. I've always read (and been told) to use addslashes() for any MySQL input to protect the database. My PHP.ini file has magic quotes off and the system automatically produces a caret symbol "^" in front of every control character I upload to the database. I can't find anything in the PHP.ini file relating to the caret symbols and control characters, nor can I find anything in the My.ini file.

In testing, it the system behaves just as it would if I had magic quotes on, except that the system uses the carets instead of slashes. I have no problem removing the carets (and any slashes that a user might upload) but would like to know what is going on. I've done google searches on this and have only found content regarding regular expressions. Could someone clue me in? Thank in advance.
Cheers,
Rick

Hi there i have this code:
Code: [Select]
$str = "<i><font color="800080"> man </font></i><p><font color="9898989"> hi </font></p><p><font color="1111111"> cheers </font></p>";
$pattern = '/<font .*?>(.*?)<\/font>/';
if(preg_match_all($pattern, addslashes($str), $posts)){
        $i=0;
for($i; $i < count($posts[0]); $i++){
            echo "content: " . $posts[0][$i] . "<br/>";
            echo "colour: " . $posts[1][$i] . "<br/>";
             echo "<br />";
           
           }
}
and it doesn't work apparently because of the addslashes but its really needed as double quotes needs to be escaped, consider that i'm applying this code to a larger html file with hundreds of double quotes to be escaped....

error msg i get is Parse error: syntax error, unexpected T_LNUMBER in
thanks in advance..

Hey Guys!
I would really like some feedback on the following:

I have a site in Portuguese. Php retrieves a lot of POST's with Special Characters and Portuguese Accents (which are expected).
With my sanatize function I am having some real problems with the 'htmlentities' for XSS Injection Prevention.
htmlentities is changing the accents to strange characters and messes up my database.

sanitize( &$_GET );
sanitize( &$_POST );
sanitize( &$_COOKIE );

function sanitize( &$some) 
{
$some = array_map('htmlentities', $some); //XSS Prevention

foreach( $some as $key => $value ) 
{
$value = str_replace( '--', '', $value );
$value = str_replace( '/*', '', $value );
$value = str_replace( '"', '', $value );
$value = str_replace( "'", '', $value );
$value = ereg_replace( '[\( ]+0x', '', $value );
if ($value != $some[$key]) 
{
$some[$key] = $value;
}
}
}

The only solution I can think of is to take out the 'htmlentities' function, but I would really like to have this as a prevention against XSS, is there any way around this to have both things working?

Any ideas, suggestions?

Thanks in advance!

Hello Coddy Guys,im trying to do simple website creator
Maybe i don't have Disease Centres probably do not have the imagination to do
or something else. I wan't to do.
when member is registered and he got template that chosed in registration.
how to create new folder with users template.
Maybe you got it.
Thanks.

Ok so I'm coding up a file tree for a script and I've got the system setup so that when a user clicks on a folder it adds that folder to the path. The path is stored in a variable, but I'd like to allow the user to be able to go down multiple directories at once. To do this I'm going to seperate each folder name in the path and link to it so as an example:

$path = './home/public_html/folder1/folder2';

how can I separate each of those so I can make a link to that folder so that:

/home goes to $path = './home/';
/public_html goes to $path = './home/public_html';
etc...
---
Basically just seperate the slashes into an array and seperate each of them off based on how far along it is but I don't know how to do that...

Hi guys

When I insert a data into MySQL and thru addslashes() it is adding not one but 3 slashes in mysql.

By the way here are the codes,
Code: [Select]
<?php
//$conn = new mysqli('localhost', 'root', '', 'my_db');
$conn = new mysqli('localhost', 'coder9_work', '******', 'coder9_portfolio');
$query = "INSERT into portfolio(category, title, description, version, started, finished) VALUES (?, ?, ?, ?, ?, ?)";

$select = $_POST['select'];
$title = addslashes($_POST['title']);
$description = $_POST['description'];
$version = $_POST['version'];
$started = $_POST['started'];
$finished = $_POST['finished'];


$stmt = $conn->stmt_init();
if($stmt->prepare($query)) {
$stmt->bind_param('ssssss', $select, $title, $description, $version, $started, $finished);
$stmt->execute();
}

if($stmt) {
echo "Thank you!";
} else {
echo "There was a problem. Please  try again later.";
}
?>

How do I fix this problem so that It will add only one slashes?

Thanks in advanced.

I have this page that keeps adding slashes (exponentially) to the $sql var that gets passed on through the hidden text area. I cannot figure out why it does this.

Any ideas are appreciated. Thank you.


<?php
include_once $_SERVER['DOCUMENT_ROOT'] . '/include/login.php';
include_once $_SERVER['DOCUMENT_ROOT'] . '/include/mysql.php';

if(!Login::loggedIn()) {
include $_SERVER['DOCUMENT_ROOT'] . '/include/uploads/pages/login.php';
} else {
function displayForm()
{
$sql     = 'SELECT * FROM `content` WHERE `contentCallid` = \'' . $_GET['page'] . '\'';
$con     = $GLOBALS['mysql']->connect();
$query   = mysql_query($sql, $con);
$content = mysql_fetch_array($query);

$content['breadcrumb']     = explode(',', $content['breadcrumb']);
$content['breadcrumbLink'] = explode(',', $content['breadcrumbLink']);
$breadcrumb = '';

for($i = 0; $i < count($content['breadcrumb']); $i++) {
if($i > 0)
$breadcrumb .= ',';
$breadcrumb .= $content['breadcrumbLink'][$i] . '::' . $content['breadcrumb'][$i];
}

if(empty($_POST['sql'])) {
$sql = 'INSERT INTO `contentVersions`
(`contentCallid` ,
`contentTitle` ,
`content` ,
`views` ,
`permissionNeeded` ,
`status` ,
`version` ,
`created` ,
`createdBy` ,
`lastEdit` ,
`lastEditBy` ,
`breadcrumb` ,
`breadcrumbLink` ,
`noBreadcrumb` ) 
VALUES (
\'' . ($content['contentCallid'])    . '\',
\'' . ($content['contentTitle'])     . '\',
\'' . ($content['content'])          . '\',
\'' . ($content['views'])            . '\',
\'' . ($content['permissionNeeded']) . '\',
\'' . ($content['status'])           . '\',
\'' . ($content['version'])          . '\',
\'' . ($content['created'])          . '\',
\'' . ($content['createdBy'])        . '\',
\'' . ($content['lastEdit'])         . '\',
\'' . ($content['lastEditBy'])       . '\',
\'' . ($content['breadcrumb'])       . '\',
\'' . ($content['breadcrumbLink'])   . '\',
\'' . ($content['noBreadcrumb'])     . '\');';
$sql = stripslashes($sql);
} else {
$sql = $_POST['sql'];
}
?>
<form id="loginForm" name="loginForm" method="post" action="index.php?p=editPage&page=<?= $_GET['page']; ?>&ref=editPage">
   <fieldset>
    <legend>Page Settings </legend>
<p>
      <label>Page Title: </label>
      <input name="title" style="width:450px;" id="title" value="<?= $content['contentTitle']; ?>" type="text" />
    </p>
<p>
      <label>Content ID: </label>
      <input name="callid" readonly="readonly" style="width:381px;" id="callid" value="<?= $content['contentCallid']; ?>" type="text" />
  &nbsp;
  <input name="suggestC" type="button" value="Suggest" onclick="suggestCallID('<?= $content['contentCallid']; ?>');" />
    </p>
<p>
      <label>Breadcrumb: </label>
      <input name="breadcrumb" style="width:381px;" id="breadcrumb" value="<?= $breadcrumb; ?>" type="text" />
  &nbsp;
  <input name="suggestBC" type="button" value="Suggest" onclick="suggestBreadcrumb();" /></p>
  </fieldset>
  <textarea name="editPageWYS" id="editPageWYS"><?= $content['content']; ?></textarea>
   <textarea style="visibility:hidden;" name="sql"><?= $sql; ?></textarea>
   <textarea style="visibility:hidden;" name="version"><?= $content['version']; ?></textarea>
   <textarea style="visibility:hidden;" name="contentid"><?= $content['contentid']; ?></textarea>
   <fieldset>
    <legend>Actions</legend>
<p>
  <input name="save" type="submit" value="Save" />
    </p>
  </fieldset>
</form>
<?php
}

if(!empty($_POST['save'])) {
if(empty($_POST['title']) || empty($_POST['callid'])) {
echo '<blockquote class="failure">Save not successful. You need to have both a title and content id. Please type in a title then click the "Suggest" button.</blockquote>';
displayForm();
} else {
$time = time();
$bc   = explode(',', $_POST['breadcrumb']);
$bcText = array();
$bcLink = array();

for($i = 0; $i < count($bc); $i++) {
$bc[$i]     = explode('::', $bc[$i]);
$bcLink[$i] = $bc[$i][0];
$bcText[$i] = $bc[$i][1];
}

$bcLink = implode(',', $bcLink);
$bcText = implode(',', $bcText);

$con   = $GLOBALS['mysql']->connect();
$query = mysql_query($_POST['sql'], $con);

echo $_POST['sql'];
if(!$query) {
echo '<blockquote class="failure">Warning: A MySQL error has occured while adding the backup to the database.<p>' . mysql_error() . '</p></blockquote>';
displayForm();
}

$sql = 'UPDATE  `content` SET
`content` = \'' . $_POST['editPageWYS'] . '\',
`breadcrumb` = \'' . $bcText . '\',
`breadcrumbLink` = \'' . $bcLink . '\',
`contentCallid` = \'' . $_POST['callid'] . '\',
`contentTitle` = \'' . $_POST['title'] . '\',
`version` = \'' . ($_POST['version'] + 1) . '\',
`lastEdit` = \'' . $time . '\',
`lastEditBy` = \'' . $_SESSION['username'] . '\'
WHERE `contentid` = ' . $_POST['contentid'] . ' LIMIT 1 ;';

$query = mysql_query($sql, $con);
if(!$query) {
echo '<blockquote class="failure">MySQL Error<p>' . mysql_error() . '</p></blockquote>';
displayForm();
} else {
echo '<blockquote>Page Successfully Edited<br /><br /><a href="index.php?p=' . $_POST['callid'] . '&ref=newPage">Click Here to View It</a></blockquote>';
}
}
} else {
displayForm();
}
}
?>