|  | Posted by Laiverd.COM on 03/30/07 15:24 
Tnx shimmyshack; you're input is really appreciated.
 John
 
 "shimmyshack" <matt.farey@gmail.com> wrote in message
 news:1175266318.223589.140600@l77g2000hsb.googlegroups.com...
 > On 30 Mar, 12:37, "Laiverd.COM" <share_your_knowle...@someserver.nl>
 > wrote:
 >> Thanks for the input guys. There's more fields to check, but didn't want
 >> ot
 >> bother you with all of them as the problem occurs in any field whenever a
 >> single quote is part of the string. For now I merely have a problem
 >> getting
 >> data back into the field after validation as soon as a quote is part of
 >> the
 >> data.
 >> I'm talking merely validation here and not (yet) about filtering before
 >> entering the data into a db. I am aware of security issues here (as far
 >> as I
 >> can be, being only a beginner in PHP), but would welcome any tips in this
 >> area (got a 300 page book here on the matter but haven't found time yet
 >> to
 >> dive into it). I can imagine you guys getting tired at times of beating
 >> the
 >> security drum; know that I am aware, and will do the best I can ;) In the
 >> meantime ... just keep breathing ;)
 >>
 >> Thanks for your input.
 >>
 >> Cheers,
 >> John
 >>
 >> "shimmyshack" <matt.fa...@gmail.com> wrote in message
 >>
 >> news:1175207250.550677.271870@r56g2000hsd.googlegroups.com...
 >>
 >> > On 29 Mar, 22:59, Colin McKinnon
 >> > <colin.thisisnotmysurn...@ntlworld.deletemeunlessURaBot.com> wrote:
 >> >> shimmyshack wrote:
 >> >> > On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
 >> >> > wrote:
 >> >> >> have used get_magic_quotes_gpc(); to turn it of,
 >>
 >> >> You can't turn off magic quotes - you can try setting it false but if
 >> >> has
 >> >> been set aynwhere, it stays set - this is a big part of why most
 >> >> people
 >> >> hate it.
 >>
 >> >> >> This is what i have
 >> >> >> THE FORM PART
 >> >> >>  <input name='city' type='text' value='".$_POST['city']."'
 >> >> >> class='big'
 >> >> >> />
 >>
 >> >> <snip>
 >>
 >> >> So if $_POST['city'] contains Brig O' Doon (and magic quotes is off)
 >> >> then
 >> >> that line will read
 >> >> <input name='city' type='text' value='Brig O' Doon' class='big' />
 >> >>  a safer bet would be:
 >>
 >> >> <input name='city' type='text' value='".htmlentites($_POST['city'])."'
 >> >> class='big' />
 >>
 >> >> As to what happens with magic quotes - I don't know. Try viewing the
 >> >> source
 >> >> code of your page and checking the traffic with tamperdata or
 >> >> ieHTTPHeaders.
 >>
 >> >> The regexp looks OK but a more elegant solution than disallowing
 >> >> certain
 >> >> characters is to accomodate them safely.
 >>
 >> >> You might want to look at the OWASP toolkit too.
 >>
 >> >> HTH
 >>
 >> >> C.
 >>
 >> > well done Colin, I didn't spot that, I looked but was fooled by the "
 >> > around the $_POST['city'] - that of course is it, simple as that.
 >> > [provided he does indeed get nothing only when the city is prepended
 >> > by an apostrophe] I couldn't be bothered to open with "be more secure"
 >> > because I hadn't seen the rest of his code. I wouldn't be at all
 >> > surprised if there's no filtering before the db, or any any of the
 >> > other fields. After a while you just get tired of beating the security
 >> > drum - it makes you look like a one trick pony!
 >
 > the easiest way to persist data (so its there when the user goes back
 > to the form, or navigates to another similar form where they might be
 > asked to input a subset of the same info) is to use a session. Once
 > the validation has worked out you set a session variable.
 >
 > you might even get the function to write the input for you, and use a
 > loop, anyway. Stop using single quotes (although valid markup) for
 > your inputs, and stop using double quotes - which make php work harder
 > than it has to (unless you are writing this kind of thing "hello, I
 > live in $city")
 > and things will work just fine.
 >
 > The reason you have probably not hit the eureka moment is because your
 > single quotes are untouched by htmlentities, unless you read the
 > manual and include the last optional argument.
 >
 > so cos I feel sorry that you have suffered so long with this, is a
 > simple script to show you how it fits together. The moral is though
 > read the manual for the functions people are telling you to use.
 >
 > <?php
 >
 > function returnSessionValue( $strSessionVarName )
 > {
 > return ( isset( $_SESSION[$strSessionVarName] ) &&
 > $_SESSION[$strSessionVarName] !=='' ) ?
 > htmlentities( $_SESSION[$strSessionVarName], ENT_QUOTES) : '';
 > }
 >
 > //this goes before any output gets sent to browser (cos its a header)
 > session_start();
 >
 > //set city to some annoying place - sorry inhabitants of said city
 > $_SESSION['city'] = "Q'uote'City";
 >
 > //set the form to empty string to start
 > $htmlForm = '';
 >
 > //the markup (using single quotes and double quotes in the reverse
 > order to you)
 > $htmlForm .= '<form method="post">';
 > $htmlForm .= '<input type="text" name="city" value="' .
 > returnSessionValue( 'city' ) . '" />';
 > $htmlForm .= '<input type="submit" value="submit"/>';
 > $htmlForm .= '</form>';
 >
 > //output form to browser
 > echo $htmlForm;
 >
 > //only display value of post if there is one, else some nothingy
 > string
 > echo '<hr>city: ', (( isset($_POST['city']) && $_POST['city']!='')?
 > htmlentities($_POST['city'],ENT_QUOTES):'form data not posted yet');
 >
 > ?>
 >
  Navigation: [Reply to this message] |