The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP Problem - What's happening?

Discussion in 'General Discussion' started by mm6_James, Jul 18, 2008.

  1. mm6_James

    mm6_James Member

    Joined:
    May 29, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi guys,

    I've setup a test form to show what I'm talking about

    => http://ausgamingnetwork.com/testf.php

    Type in the field anything with quotes i.e

    "test"

    -> My question is;

    Why is it removing the content and not putting a \ in like is echoed from the print_r statement? The html code is causing this issue because " " is breaking the input tags. Shouldn't this be getting excluded?

    Any help please?

    The code is:

    PHP:
    <?php
    $sent 
    $_POST["submit"];
    $chkAccept $_POST["chkAccept"];
    $name $_POST['name'];

    if(
    $sent){ if($chkAccept) { print_r($_POST); }}
    ?>
    <form method="POST" action="testf.php">
    Name Field: <input type="text" id="name" name="name" size="39" value="<?php echo $name;?>"> <br /> <br />
    Show Print_R Stack: <input type="checkbox" id="chkAccept" name="chkAccept" value="1" checked> <br /> <br />
    <input type="submit" value="Submit" name="submit">
    <input type="reset" value="Reset" name="reset"></p> <br />
    <?php echo $name?>
    </form>


    Also PHP INFO dump: http://ausgamingnetwork.com/info.php

    Thanks guys,
     
    #1 mm6_James, Jul 18, 2008
    Last edited: Jul 18, 2008
  2. FreedomBI

    FreedomBI Well-Known Member

    Joined:
    Jul 7, 2008
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    1) You are not sanitizing your user input at all.
    2) You have magic_quotes_gpc on. While this protects against some forms of failing to sanitize your user input, it also leads to poor programming practices, such as not sanitizing your user input.
    3) You are not sanitizing your user input at all.

    If you look at the resultant HTML source, you will see exactly what the problem is.

    However, before writing any more php code, I strongly suggest you read all of http://www.php.net/manual/en/security.php
     
  3. mm6_James

    mm6_James Member

    Joined:
    May 29, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    It's a basic example normally I would addslashes() and stripslashes() but on my previous setup this was never an issue - I'm trying to workout as to why its happening?

    Even when I add slashes is still occurs? Could you perhaps show me some sample code that resolves this issue?

    Thanks
     
  4. mm6_James

    mm6_James Member

    Joined:
    May 29, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Anybody know ?
     
  5. ckh

    ckh Well-Known Member

    Joined:
    Dec 6, 2003
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Phoenix, AZ
    cPanel Access Level:
    DataCenter Provider
    Are you using stripslashes in the file? If not, add it and the problem will go away.

    If you look at the source you will see:

    Code:
    Name Field: <input type="text" id="name" name="name" size="39" value="\"test\"">
    It's only filling in the box with the \ as that is what is surrounded by the quotes and ignoring what is everything after the second quote.
     
  6. mm6_James

    mm6_James Member

    Joined:
    May 29, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I've done that and it does this now:-


    PHP:
    Name Field: <input type="text" id="name" name="name" size="39" value=""test""> <br /> <br />
    Should I be stripping the quotes? Shouldn't the quotes turn into &quot; so that this is resolved?

    Please advise - thanks
     
  7. mm6_James

    mm6_James Member

    Joined:
    May 29, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Okay I've written up this to deal with < > and ".

    PHP:
    <?php
    function smart_quotes($text) {
    $text addslashes($text);
    $text str_replace("\"","&quot;",$text);
    $text str_replace("<","&lt;",$text);
    $text str_replace(">","&gt;",$text);
    $text stripslashes($text);
    return 
    $text;
    }
    ?>
    I will use mysql_escape_string etc for MySQL queries, but is there anything eles I have to consider for form data other than that for injection? Or does that cover it.

    Thanks
     
  8. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You should use mysql_real_escape_string()
     
Loading...

Share This Page