|
|
Posted by -Lost on 05/14/07 04:28
Dave Kelly wrote:
> Mike P2 wrote:
>> On May 13, 7:26 pm, Dave Kelly <daveeke...@earthlink.net> wrote:
>>> Mike P2 wrote:
>>>> ?>
>>>> Let's assume you made $_REQUEST['name'] and $describe11 safe for the
>>>> file system.
>>>> ?>
>>> You should make that
>>>
>>>> variable safe for the file system before using it, though.
>>> To isolate a question. I have searched for make variable safe and this
>>> is what I found. Is this what you intended by the above statements?
>>>
>>> <?php //quote-smart.php
>>> // Quote variable to make safe
>>> function quote_smart($value) {
>>> // Stripslashes
>>> if (get_magic_quotes_gpc()) {
>>> $value = stripslashes($value);
>>> }
>>> // Quote if not integer
>>> if (!is_numeric($value) || $value[0] == '0') {
>>> $value = "'" . mysql_real_escape_string($value) . "'";
>>> }
>>> return $value;}
>>>
>>> ?>
>>>
>>> --
>>> A little rum in the morning coffee. Just to clear the cobwebs, ya know.
>>
>> That function is for making data safe to insert it into the database.
>> What I meant was to strip out forward slashes and backslashes, because
>> otherwise they could put in a name that would make a file path that's
>> not where you want it to be.
>>
>> If they put a slash in it, PHP might think it means the first part is
>> a folder.
>>
>> -Mike PII
>>
>
> Does this not take care of that?
>
> // Stripslashes
> if (get_magic_quotes_gpc()) {
> $value = stripslashes($value);
> }
Nope, it only does it if get_magic_quotes_gpc returns true.
The basic rule of thumb about making data safe (at least for textual
representations) is use stripslashes on it anyway.
Granted, the rule of thumb is "make data safe/never trust user input."
--
-Lost
Remove the extra words to reply by e-mail. Don't e-mail me. I am
kidding. No I am not.
Navigation:
[Reply to this message]
|