Posted by Laiverd.COM on 03/30/07 11:37

Thanks for the input guys. There's more fields to check, but didn't want ot
bother you with all of them as the problem occurs in any field whenever a
single quote is part of the string. For now I merely have a problem getting
data back into the field after validation as soon as a quote is part of the
data.
I'm talking merely validation here and not (yet) about filtering before
entering the data into a db. I am aware of security issues here (as far as I
can be, being only a beginner in PHP), but would welcome any tips in this
area (got a 300 page book here on the matter but haven't found time yet to
dive into it). I can imagine you guys getting tired at times of beating the
security drum; know that I am aware, and will do the best I can ;) In the
meantime ... just keep breathing ;)

Thanks for your input.

Cheers,
John

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1175207250.550677.271870@r56g2000hsd.googlegroups.com...
> On 29 Mar, 22:59, Colin McKinnon
> <colin.thisisnotmysurn...@ntlworld.deletemeunlessURaBot.com> wrote:
>> shimmyshack wrote:
>> > On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
>> > wrote:
>> >> have used get_magic_quotes_gpc(); to turn it of,
>>
>> You can't turn off magic quotes - you can try setting it false but if has
>> been set aynwhere, it stays set - this is a big part of why most people
>> hate it.
>>
>>
>>
>> >> This is what i have
>> >> THE FORM PART
>> >> <input name='city' type='text' value='".$_POST['city']."' class='big'
>> >> />
>>
>> <snip>
>>
>> So if $_POST['city'] contains Brig O' Doon (and magic quotes is off) then
>> that line will read
>> <input name='city' type='text' value='Brig O' Doon' class='big' />
>> a safer bet would be:
>>
>> <input name='city' type='text' value='".htmlentites($_POST['city'])."'
>> class='big' />
>>
>> As to what happens with magic quotes - I don't know. Try viewing the
>> source
>> code of your page and checking the traffic with tamperdata or
>> ieHTTPHeaders.
>>
>> The regexp looks OK but a more elegant solution than disallowing certain
>> characters is to accomodate them safely.
>>
>> You might want to look at the OWASP toolkit too.
>>
>> HTH
>>
>> C.
>
> well done Colin, I didn't spot that, I looked but was fooled by the "
> around the $_POST['city'] - that of course is it, simple as that.
> [provided he does indeed get nothing only when the city is prepended
> by an apostrophe] I couldn't be bothered to open with "be more secure"
> because I hadn't seen the rest of his code. I wouldn't be at all
> surprised if there's no filtering before the db, or any any of the
> other fields. After a while you just get tired of beating the security
> drum - it makes you look like a one trick pony!
>
>

• Next in forum: Re: How 2 protect my email address?
• Prev in forum: Re: How 2 protect my email address?
• Thread view: Re: Quotes and the invisible string

[Reply to this message]