Posted by shimmyshack on 03/29/07 22:27

On 29 Mar, 22:59, Colin McKinnon
<colin.thisisnotmysurn...@ntlworld.deletemeunlessURaBot.com> wrote:
> shimmyshack wrote:
> > On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
> > wrote:
> >> have used get_magic_quotes_gpc(); to turn it of,
>
> You can't turn off magic quotes - you can try setting it false but if has
> been set aynwhere, it stays set - this is a big part of why most people
> hate it.
>
>
>
> >> This is what i have
> >> THE FORM PART
> >> <input name='city' type='text' value='".$_POST['city']."' class='big' />
>
> <snip>
>
> So if $_POST['city'] contains Brig O' Doon (and magic quotes is off) then
> that line will read
> <input name='city' type='text' value='Brig O' Doon' class='big' />
> a safer bet would be:
>
> <input name='city' type='text' value='".htmlentites($_POST['city'])."'
> class='big' />
>
> As to what happens with magic quotes - I don't know. Try viewing the source
> code of your page and checking the traffic with tamperdata or
> ieHTTPHeaders.
>
> The regexp looks OK but a more elegant solution than disallowing certain
> characters is to accomodate them safely.
>
> You might want to look at the OWASP toolkit too.
>
> HTH
>
> C.

well done Colin, I didn't spot that, I looked but was fooled by the "
around the $_POST['city'] - that of course is it, simple as that.
[provided he does indeed get nothing only when the city is prepended
by an apostrophe] I couldn't be bothered to open with "be more secure"
because I hadn't seen the rest of his code. I wouldn't be at all
surprised if there's no filtering before the db, or any any of the
other fields. After a while you just get tired of beating the security
drum - it makes you look like a one trick pony!

[Back to original message]