Posted by Laiverd.COM on 03/30/07 15:24

Tnx shimmyshack; you're input is really appreciated.

John

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1175266318.223589.140600@l77g2000hsb.googlegroups.com...
> On 30 Mar, 12:37, "Laiverd.COM" <share_your_knowle...@someserver.nl>
> wrote:
>> Thanks for the input guys. There's more fields to check, but didn't want
>> ot
>> bother you with all of them as the problem occurs in any field whenever a
>> single quote is part of the string. For now I merely have a problem
>> getting
>> data back into the field after validation as soon as a quote is part of
>> the
>> data.
>> I'm talking merely validation here and not (yet) about filtering before
>> entering the data into a db. I am aware of security issues here (as far
>> as I
>> can be, being only a beginner in PHP), but would welcome any tips in this
>> area (got a 300 page book here on the matter but haven't found time yet
>> to
>> dive into it). I can imagine you guys getting tired at times of beating
>> the
>> security drum; know that I am aware, and will do the best I can ;) In the
>> meantime ... just keep breathing ;)
>>
>> Thanks for your input.
>>
>> Cheers,
>> John
>>
>> "shimmyshack" <matt.fa...@gmail.com> wrote in message
>>
>> news:1175207250.550677.271870@r56g2000hsd.googlegroups.com...
>>
>> > On 29 Mar, 22:59, Colin McKinnon
>> > <colin.thisisnotmysurn...@ntlworld.deletemeunlessURaBot.com> wrote:
>> >> shimmyshack wrote:
>> >> > On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
>> >> > wrote:
>> >> >> have used get_magic_quotes_gpc(); to turn it of,
>>
>> >> You can't turn off magic quotes - you can try setting it false but if
>> >> has
>> >> been set aynwhere, it stays set - this is a big part of why most
>> >> people
>> >> hate it.
>>
>> >> >> This is what i have
>> >> >> THE FORM PART
>> >> >> <input name='city' type='text' value='".$_POST['city']."'
>> >> >> class='big'
>> >> >> />
>>
>> >> <snip>
>>
>> >> So if $_POST['city'] contains Brig O' Doon (and magic quotes is off)
>> >> then
>> >> that line will read
>> >> <input name='city' type='text' value='Brig O' Doon' class='big' />
>> >> a safer bet would be:
>>
>> >> <input name='city' type='text' value='".htmlentites($_POST['city'])."'
>> >> class='big' />
>>
>> >> As to what happens with magic quotes - I don't know. Try viewing the
>> >> source
>> >> code of your page and checking the traffic with tamperdata or
>> >> ieHTTPHeaders.
>>
>> >> The regexp looks OK but a more elegant solution than disallowing
>> >> certain
>> >> characters is to accomodate them safely.
>>
>> >> You might want to look at the OWASP toolkit too.
>>
>> >> HTH
>>
>> >> C.
>>
>> > well done Colin, I didn't spot that, I looked but was fooled by the "
>> > around the $_POST['city'] - that of course is it, simple as that.
>> > [provided he does indeed get nothing only when the city is prepended
>> > by an apostrophe] I couldn't be bothered to open with "be more secure"
>> > because I hadn't seen the rest of his code. I wouldn't be at all
>> > surprised if there's no filtering before the db, or any any of the
>> > other fields. After a while you just get tired of beating the security
>> > drum - it makes you look like a one trick pony!
>
> the easiest way to persist data (so its there when the user goes back
> to the form, or navigates to another similar form where they might be
> asked to input a subset of the same info) is to use a session. Once
> the validation has worked out you set a session variable.
>
> you might even get the function to write the input for you, and use a
> loop, anyway. Stop using single quotes (although valid markup) for
> your inputs, and stop using double quotes - which make php work harder
> than it has to (unless you are writing this kind of thing "hello, I
> live in $city")
> and things will work just fine.
>
> The reason you have probably not hit the eureka moment is because your
> single quotes are untouched by htmlentities, unless you read the
> manual and include the last optional argument.
>
> so cos I feel sorry that you have suffered so long with this, is a
> simple script to show you how it fits together. The moral is though
> read the manual for the functions people are telling you to use.
>
> <?php
>
> function returnSessionValue( $strSessionVarName )
> {
> return ( isset( $_SESSION[$strSessionVarName] ) &&
> $_SESSION[$strSessionVarName] !=='' ) ?
> htmlentities( $_SESSION[$strSessionVarName], ENT_QUOTES) : '';
> }
>
> //this goes before any output gets sent to browser (cos its a header)
> session_start();
>
> //set city to some annoying place - sorry inhabitants of said city
> $_SESSION['city'] = "Q'uote'City";
>
> //set the form to empty string to start
> $htmlForm = '';
>
> //the markup (using single quotes and double quotes in the reverse
> order to you)
> $htmlForm .= '<form method="post">';
> $htmlForm .= '<input type="text" name="city" value="' .
> returnSessionValue( 'city' ) . '" />';
> $htmlForm .= '<input type="submit" value="submit"/>';
> $htmlForm .= '</form>';
>
> //output form to browser
> echo $htmlForm;
>
> //only display value of post if there is one, else some nothingy
> string
> echo '<hr>city: ', (( isset($_POST['city']) && $_POST['city']!='')?
> htmlentities($_POST['city'],ENT_QUOTES):'form data not posted yet');
>
> ?>
>

[Back to original message]