|
|
Posted by Jochem Maas on 02/10/05 17:59
Ben Edwards (lists) wrote:
> On Thu, 2005-02-10 at 13:45 +0100, Jochem Maas wrote:
>
>>Ben Edwards (lists) wrote:
>>
>>>PS phpsc.net seems to be down, or is the domain wrong?
>
>
>>er yes, oops. as Jeffery pointed out it should have been
>>phpsec.org. had a brainfreeze sorry.
>
>
>
> OK, trying to do a function to remove magic quotes from the post
> variable. Something like:-
>
> function remove_magic_quotes( &$array ) {
> foreach( $array as $index => $value ) {
> if ( is_array( $array[$index] ) ) {
> remove_magic_quotes( $array[$index] );
> } else {
> if ( magic_quotes_runtime() ){
> $array[$index] = stripslashes( $value );
there is a missing closing brace here. also the test for magic_quotes_runtime()
is better of outside the loop... no point in recursing if magic_quotes_runtime() returns false.
also you might want to use a return val instead of pass-by-reference.
also adding this to a .htaccess file in the root dir of your app might be easier:
php_value magic_quotes_runtime 0
> }
> }
> }
>
> But not quite there. Any ideas?
>
> Ben
>
>
>>>Ben
>>>
>>>On Thu, 2005-02-10 at 13:28 +0100, Jochem Maas wrote:
>>>
>>>
>>>>Ben Edwards (lists) wrote:
>>>>
>>>>
>>>>>Am I correct in thinking Magic Quotes automatically adds quotes to all
>>>>>posted variables, therefore if you are displaying post variables on a
>>>>>form you have to remove the quotes. They are only needed if you are
>>>>>actually inserting/updating into the database. Whether magic quotes
>>>>>are on or not you do not actually have to do anything to data fetched
>>>>
>>>>>from the database. If magic quoted are not on you have to add slashes
>>>>
>>>>>before you add to the database.
>>>>
>>>>you get the gist of it.... bare in mind _many_ people including actual php
>>>>developers avoid magic_quotes like the plague cos its a PITA.
>>>>
>>>>basically your input to the DB should be properly escaped (there are special
>>>>functions for this also, depending on your DB, I use alot of firebird and its capable
>>>>of parameterized queries - making it impossible to do SQL injection if you use
>>>>the parameterized markup).
>>>>
>>>>AND anything you output to the browser should be sanitized properly as well...
>>>>goto phpsc.net and read everything there - its a good/solid introduction to
>>>>writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed by Chris
>>>>Shiflett - a veritable goldmine of php related knowledge.... do yourself a favor...
>>>>read his stuff :-) any questions that arise from reading that are welcome here :-)
>>>>
>>>>
>>>>
>>>>>There is also another function you need pass stuff through if you are
>>>>>going to use it in an <input type=text or <textarea>, what is that
>>>>>function?
>>>>
>>>>htmlentities()
>>>>
>>>>
>>>>
>>>>>Ben
Navigation:
[Reply to this message]
|