|
|
Posted by Mike P2 on 05/14/07 18:07
On May 13, 9:22 pm, Dave Kelly <daveeke...@earthlink.net> wrote:
> Mike P2 wrote:
> > On May 13, 7:26 pm, Dave Kelly <daveeke...@earthlink.net> wrote:
> >> Mike P2 wrote:
> >>> ?>
> >>> Let's assume you made $_REQUEST['name'] and $describe11 safe for the
> >>> file system.
> >>> ?>
> >> You should make that
>
> >>> variable safe for the file system before using it, though.
> >> To isolate a question. I have searched for make variable safe and this
> >> is what I found. Is this what you intended by the above statements?
>
> >> <?php //quote-smart.php
> >> // Quote variable to make safe
> >> function quote_smart($value) {
> >> // Stripslashes
> >> if (get_magic_quotes_gpc()) {
> >> $value = stripslashes($value);
> >> }
> >> // Quote if not integer
> >> if (!is_numeric($value) || $value[0] == '0') {
> >> $value = "'" . mysql_real_escape_string($value) . "'";
> >> }
> >> return $value;}
>
> >> ?>
>
> >> --
> >> A little rum in the morning coffee. Just to clear the cobwebs, ya know.
>
> > That function is for making data safe to insert it into the database.
> > What I meant was to strip out forward slashes and backslashes, because
> > otherwise they could put in a name that would make a file path that's
> > not where you want it to be.
>
> > If they put a slash in it, PHP might think it means the first part is
> > a folder.
>
> > -Mike PII
>
> Does this not take care of that?
>
> // Stripslashes
> if (get_magic_quotes_gpc()) {
> $value = stripslashes($value);
> }
>
> --
That's still related to apostrophes and the database. stripslashes()
replaces \' with ', which is supposed to undo addslashes() which does
the opposite.
What I'm talking about is something like this:
$var = str_replace( array( '/', '\\' ), '-', $var );
That should remove slashes that might confuse the file system into
thinking there's another folder there.
By the way, if you are inserting stuff into a MySQL database, you
should use the appropriate real_escape_string() function instead of
addslashes(). For example, if you are using the normal MySQL
extension, use the mysql_real_escape_string() function to escape crap
that can confuse MySQL. There's other stuff than just apostrophes and
backslashes that should be escaped for MySQL.
-Mike PII
Navigation:
[Reply to this message]
|