FUDforum: comp.lang.php » Sanitizing user input

Home » Imported messages » comp.lang.php » Sanitizing user input

Show: Today's Messages :: Polls :: Message Navigator

Re: Sanitizing user input [message #169845 is a reply to message #169749]

Tue, 28 September 2010 10:11

Web Dreamer
Messages: 13
Registered: September 2010

Karma:

Junior Member

MikeB a écrit ce vendredi 24 septembre 2010 17:24 dans <4c9cc294$1(at)news(dot)x-
privat.org> :

> My book has the sample as:
>
> if (get_magic_quotes_gpc()($string=stripslashes($string));
>
> copied from text, so there may be a typo. :)

Yep, it should be:

if (get_magic_quotes_gpc()) $string=stripslashes($string);
Or to make it clearer:

if (get_magic_quotes_gpc())
{
$string=stripslashes($string);
}

> That should be fine, right?

Yep, the above executes "$string=stripslashes($string);" only if
magic_quotes_gpc is activated ("if (get_magic_quotes_gpc())" test),
otherwise it does nothing.

you should define this in a file to include in each scripts which handle
user input:

<?php
function handlemagicquotes($string)
{
if (get_magic_quotes_gpc())
{
$string=stripslashes($string);
}
return $string
}
?>

Then use in your scripts:
$UserData = handlemagicquotes($_POST['UserData']);

And the script will work whatever state of magic quotes is set on the
server.

Instead of the above, you can even have this in an included file:
<?php
function RemoveGPSlashes($CanBeAnArrayOrString)
{
if (is_array($CanBeAnArrayOrString))
{
//Call Ourself recursively:
return array_map('RemoveGPSlashes', $CanBeAnArrayOrString);
}
elseif (is_string($CanBeAnArrayOrString))
{
return stripslashes($CanBeAnArrayOrString);
}
}

if (get_magic_quotes_gpc()) {
$_GET = RemoveGPSlashes($_GET);
$_POST = RemoveGPSlashes($_POST);
}
?>

If you include the above in all scripts handling Get or Post data, the $_GET
and $_POST Arrays will automatically have their slashes stripped off.

>> htmlentities() sanitizes data that's used for HTML output.
>
> This one is good to prevent cross scripting exploits, I believe.

Righto

>> And then, there are urlencode() and rawurlencode() to sanitize data,
>> that's used as part of URLs, that appear in the output.
>
> That one I've not come across yet, I can guess what it does, but I'll
> look into it a bit more.

<?php
$login= "Jon(at)Doe(dot)com";
$password= 'A@wFul;password"!/%<>';
$urllogin = rawurlencode($login);
$urlpasswd = rawurlencode($password);
$url = sprintf ("https://%s:%s@personal_server.com", $urllogin, $urlpasswd);
?>
<a href="<?php echo htmlspecialchars($url);?>">Your Personal access</a>

Without rawurlencode() the link will not work (or risk unexpected
behaviour).

However, it is never recommended to send a login,password over url, but it's
to show an example.

--
Web Dreamer

Report message to a moderator

[Message index]

		Sanitizing user input By: MikeB on Fri, 24 September 2010 05:42
		Re: Sanitizing user input By: Helmut Chang on Fri, 24 September 2010 07:59
		Re: Sanitizing user input By: MikeB on Fri, 24 September 2010 15:24
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 10:11
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 11:21
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 13:14
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 15:14
		Re: Sanitizing user input By: Michael Fesser on Tue, 28 September 2010 16:24
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 22:35
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 08:01
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 10:57
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 13:47
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 16:21
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 07:44
		Re: Sanitizing user input By: Jerry Stuckle on Thu, 30 September 2010 12:32
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 12:51
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 16:37
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 22:34
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 07:54
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 08:02
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 11:01
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 13:15
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 16:22
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 07:47
		Re: Sanitizing user input By: Jerry Stuckle on Thu, 30 September 2010 12:35
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 12:57
		Re: Sanitizing user input By: alvaro.NOSPAMTHANX on Fri, 24 September 2010 08:15
		Re: Sanitizing user input By: MikeB on Fri, 24 September 2010 15:06
		Re: Sanitizing user input By: Michael Fesser on Fri, 24 September 2010 17:12

Previous Topic:	how to write a wsdl for php webservice?
Next Topic:	ANNOUNCE - NHI1 / PLMK / libmsgque - Work-Package-II

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Nov 23 20:30:14 GMT 2024

Total time taken to generate the page: 0.04572 seconds