PHP Problem - What's happening?

[mm6_James]

Hi guys,

I've setup a test form to show what I'm talking about

=> http://ausgamingnetwork.com/testf.php

Type in the field anything with quotes i.e

"test"

-> My question is;

Why is it removing the content and not putting a \ in like is echoed from the print_r statement? The html code is causing this issue because " " is breaking the input tags. Shouldn't this be getting excluded?

Any help please?

The code is:

PHP Code:

<?php
$sent = $_POST["submit"];
$chkAccept = $_POST["chkAccept"];
$name = $_POST['name'];

if($sent){ if($chkAccept) { print_r($_POST); }}
?>
<form method="POST" action="testf.php">
Name Field: <input type="text" id="name" name="name" size="39" value="<?php echo $name;?>"> <br /> <br />
Show Print_R Stack: <input type="checkbox" id="chkAccept" name="chkAccept" value="1" checked> <br /> <br />
<input type="submit" value="Submit" name="submit">
<input type="reset" value="Reset" name="reset"></p> <br />
<?php echo $name; ?>
</form>

Also PHP INFO dump: http://ausgamingnetwork.com/info.php

Thanks guys,

[FreedomBI]

1) You are not sanitizing your user input at all.
2) You have magic_quotes_gpc on. While this protects against some forms of failing to sanitize your user input, it also leads to poor programming practices, such as not sanitizing your user input.
3) You are not sanitizing your user input at all.

If you look at the resultant HTML source, you will see exactly what the problem is.

However, before writing any more php code, I strongly suggest you read all of http://www.php.net/manual/en/security.php

[mm6_James]

Hi,

It's a basic example normally I would addslashes() and stripslashes() but on my previous setup this was never an issue - I'm trying to workout as to why its happening?

Even when I add slashes is still occurs? Could you perhaps show me some sample code that resolves this issue?

Thanks

[mm6_James]

Anybody know ?

[ckh]

Are you using stripslashes in the file? If not, add it and the problem will go away.

If you look at the source you will see:

Code:

Name Field: <input type="text" id="name" name="name" size="39" value="\"test\"">

It's only filling in the box with the \ as that is what is surrounded by the quotes and ignoring what is everything after the second quote.

[mm6_James]

I've done that and it does this now:-

PHP Code:

Name Field: <input type="text" id="name" name="name" size="39" value=""test""> <br /> <br /> 


Should I be stripping the quotes? Shouldn't the quotes turn into " so that this is resolved?

Please advise - thanks

[mm6_James]

Okay I've written up this to deal with < > and ".

PHP Code:

<?php
function smart_quotes($text) {
$text = addslashes($text);
$text = str_replace("\"","&quot;",$text);
$text = str_replace("<","&lt;",$text);
$text = str_replace(">","&gt;",$text);
$text = stripslashes($text);
return $text;
}
?>

I will use mysql_escape_string etc for MySQL queries, but is there anything eles I have to consider for form data other than that for injection? Or does that cover it.

Thanks

[cpanelkenneth]

Okay I've written up this to deal with < > and ".

PHP Code:

<?php
function smart_quotes($text) {
$text = addslashes($text);
$text = str_replace("\"","&quot;",$text);
$text = str_replace("<","&lt;",$text);
$text = str_replace(">","&gt;",$text);
$text = stripslashes($text);
return $text;
}
?>

I will use mysql_escape_string etc for MySQL queries, but is there anything eles I have to consider for form data other than that for injection? Or does that cover it.

Thanks

You should use mysql_real_escape_string()