Posted by Colin McKinnon on 03/29/07 21:59

shimmyshack wrote:

> On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
> wrote:

>> have used get_magic_quotes_gpc(); to turn it of,

You can't turn off magic quotes - you can try setting it false but if has
been set aynwhere, it stays set - this is a big part of why most people
hate it.

>>
>> This is what i have
>> THE FORM PART
>> <input name='city' type='text' value='".$_POST['city']."' class='big' />
>>
<snip>

So if $_POST['city'] contains Brig O' Doon (and magic quotes is off) then
that line will read
<input name='city' type='text' value='Brig O' Doon' class='big' />
a safer bet would be:

<input name='city' type='text' value='".htmlentites($_POST['city'])."'
class='big' />

As to what happens with magic quotes - I don't know. Try viewing the source
code of your page and checking the traffic with tamperdata or
ieHTTPHeaders.

The regexp looks OK but a more elegant solution than disallowing certain
characters is to accomodate them safely.

You might want to look at the OWASP toolkit too.

HTH

C.

[Back to original message]