Posted by shimmyshack on 03/30/07 14:51

On 30 Mar, 12:37, "Laiverd.COM" <share_your_knowle...@someserver.nl>
wrote:
> Thanks for the input guys. There's more fields to check, but didn't want ot
> bother you with all of them as the problem occurs in any field whenever a
> single quote is part of the string. For now I merely have a problem getting
> data back into the field after validation as soon as a quote is part of the
> data.
> I'm talking merely validation here and not (yet) about filtering before
> entering the data into a db. I am aware of security issues here (as far as I
> can be, being only a beginner in PHP), but would welcome any tips in this
> area (got a 300 page book here on the matter but haven't found time yet to
> dive into it). I can imagine you guys getting tired at times of beating the
> security drum; know that I am aware, and will do the best I can ;) In the
> meantime ... just keep breathing ;)
>
> Thanks for your input.
>
> Cheers,
> John
>
> "shimmyshack" <matt.fa...@gmail.com> wrote in message
>
> news:1175207250.550677.271870@r56g2000hsd.googlegroups.com...
>
> > On 29 Mar, 22:59, Colin McKinnon
> > <colin.thisisnotmysurn...@ntlworld.deletemeunlessURaBot.com> wrote:
> >> shimmyshack wrote:
> >> > On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
> >> > wrote:
> >> >> have used get_magic_quotes_gpc(); to turn it of,
>
> >> You can't turn off magic quotes - you can try setting it false but if has
> >> been set aynwhere, it stays set - this is a big part of why most people
> >> hate it.
>
> >> >> This is what i have
> >> >> THE FORM PART
> >> >> <input name='city' type='text' value='".$_POST['city']."' class='big'
> >> >> />
>
> >> <snip>
>
> >> So if $_POST['city'] contains Brig O' Doon (and magic quotes is off) then
> >> that line will read
> >> <input name='city' type='text' value='Brig O' Doon' class='big' />
> >> a safer bet would be:
>
> >> <input name='city' type='text' value='".htmlentites($_POST['city'])."'
> >> class='big' />
>
> >> As to what happens with magic quotes - I don't know. Try viewing the
> >> source
> >> code of your page and checking the traffic with tamperdata or
> >> ieHTTPHeaders.
>
> >> The regexp looks OK but a more elegant solution than disallowing certain
> >> characters is to accomodate them safely.
>
> >> You might want to look at the OWASP toolkit too.
>
> >> HTH
>
> >> C.
>
> > well done Colin, I didn't spot that, I looked but was fooled by the "
> > around the $_POST['city'] - that of course is it, simple as that.
> > [provided he does indeed get nothing only when the city is prepended
> > by an apostrophe] I couldn't be bothered to open with "be more secure"
> > because I hadn't seen the rest of his code. I wouldn't be at all
> > surprised if there's no filtering before the db, or any any of the
> > other fields. After a while you just get tired of beating the security
> > drum - it makes you look like a one trick pony!

the easiest way to persist data (so its there when the user goes back
to the form, or navigates to another similar form where they might be
asked to input a subset of the same info) is to use a session. Once
the validation has worked out you set a session variable.

you might even get the function to write the input for you, and use a
loop, anyway. Stop using single quotes (although valid markup) for
your inputs, and stop using double quotes - which make php work harder
than it has to (unless you are writing this kind of thing "hello, I
live in $city")
and things will work just fine.

The reason you have probably not hit the eureka moment is because your
single quotes are untouched by htmlentities, unless you read the
manual and include the last optional argument.

so cos I feel sorry that you have suffered so long with this, is a
simple script to show you how it fits together. The moral is though
read the manual for the functions people are telling you to use.

<?php

function returnSessionValue( $strSessionVarName )
{
return ( isset( $_SESSION[$strSessionVarName] ) &&
$_SESSION[$strSessionVarName] !=='' ) ?
htmlentities( $_SESSION[$strSessionVarName], ENT_QUOTES) : '';
}

//this goes before any output gets sent to browser (cos its a header)
session_start();

//set city to some annoying place - sorry inhabitants of said city
$_SESSION['city'] = "Q'uote'City";

//set the form to empty string to start
$htmlForm = '';

//the markup (using single quotes and double quotes in the reverse
order to you)
$htmlForm .= '<form method="post">';
$htmlForm .= '<input type="text" name="city" value="' .
returnSessionValue( 'city' ) . '" />';
$htmlForm .= '<input type="submit" value="submit"/>';
$htmlForm .= '</form>';

//output form to browser
echo $htmlForm;

//only display value of post if there is one, else some nothingy
string
echo '<hr>city: ', (( isset($_POST['city']) && $_POST['city']!='')?
htmlentities($_POST['city'],ENT_QUOTES):'form data not posted yet');

?>

[Back to original message]