Removing \ from PHP in an HTML page?

Butters · 27 Nov 2007 at 22:26

OK, i've done a lot myself now but this has me stuck.

I have a news management page which shows you all the news articles in the news database and has the option to edit or delete them

However, if I choose to edit an item, it takes me to the edit page and everything appears as it should.

But, if I add anything to the it with a ' in (i.e. i'm sure it's ok), OR there is a hyperlink in the text body i.e.

Code:

<a href="test.php">test</a>

as soon as you press update to save the edit this happens

(i\'m sure it\'s ok)

and

Code:

<a href="\test.php\">test</a>

I hope thats clear enough to show whats happening.

How do I solve this? I looked up http://uk3.php.net/strip_tags but their example seems to be associated with constant inserted text.

psyr33n · 27 Nov 2007 at 22:48

stripslashes();

SiriusB · 28 Nov 2007 at 00:57

This is a problem when Magic_Quotes is switched on. When something is POSTed, it automatically escapes quotes, which as you can see is bloody annoying. As psyr33n says, using stripslashes() on the string should sort it out

unknowndomain · 28 Nov 2007 at 02:27

always makes me think of eye lashes and chavs for some reason.

on another note you can turn magic quotes off at the top of each page.

Inquisitor · 28 Nov 2007 at 02:51

You can't turn magic quotes off as the processing is done before the script is executed. You can, however, detect whether it's on or not and act accordingly:

Code:

function strip_magic_quotes($input)
{
	if (is_array($input))
	{
		foreach ($input as $key => $value)
		{
			$input[$key] = strip_magic_quotes($value);
		}
		
		return $input;
	}
	else
	{
		return stripslashes($input);
	}
}

if (get_magic_quotes_gpc())
{
	$_POST = strip_magic_quotes($_POST);
	$_GET = strip_magic_quotes($_GET);
	$_COOKIE = strip_magic_quotes($_COOKIE);
}

unknowndomain · 28 Nov 2007 at 02:51

perhaps that is what i remember

robmiller · 28 Nov 2007 at 03:36

You can, however, turn it off in your .htaccess/httpd.conf:

Code:

php_flag magic_quotes_gpc off

trickards · 28 Nov 2007 at 10:37

I would advise to use the stripslashes(); function over turning magic quotes off, due to the fact magic quotes is used to stop people executing SQL commands which they place in forms which will be added to a database. You may want to read up on it, but i'm sure you are all aware that there are other ways of getting around the SQL issue without magic quotes.

If you decide to keep magic quotes on, i would advise that you keep the slashes even in the database itself, then stripslashes when that information is called and displayed.

Butters · 28 Nov 2007 at 11:01

OK, so we apply the stripslashes to a query string? Anything that displays the information retrieved from the database?

So for this (for example)

Code:

<?php

mysql_connect('localhost', 'root', 'pass');
mysql_select_db('mark1e_dmd');


$id = $_POST['id'];


$query = "SELECT * FROM news WHERE id={$id}";

if ($results = mysql_query($query)) {

$row = mysql_fetch_array ($results); //retrieve the info


$id = htmlentities($row['id']);
$p_title = htmlentities($row['p_title']);
$p_summary = htmlentities($row['p_summary'];
$p_body = htmlentities($row['p_body']);

}

?>

Where would one add the strip slashes?

trickards · 28 Nov 2007 at 11:27

Code:

<?php

mysql_connect('localhost', 'root', 'pass');
mysql_select_db('mark1e_dmd');


$id = $_POST['id'];


$query = "SELECT * FROM news WHERE id={$id}";

if ($results = mysql_query($query)) {

$row = mysql_fetch_array ($results); //retrieve the info


$id = htmlentities($row['id']);
$p_title = htmlentities($row['p_title']);
$p_summary = htmlentities($row['p_summary']);
$p_body = htmlentities($row['p_body']);

//For example
echo stripslashes($p_title);

}

?>

However i am unsure if *below* would work, but i assume it would. That way, because strip slashes has already been done, when the variable is echo'd it can be done with echo $varname;

Code:

$id = stripslashes(htmlentities($row['id']));
$p_title = stripslashes(htmlentities($row['p_title']));
$p_summary = stripslashes(htmlentities($row['p_summary']));
$p_body = stripslashes(htmlentities($row['p_body']));

Hope that makes sense.

marc2003 · 28 Nov 2007 at 11:27

Butters said:
Where would one add the strip slashes?

you wouldn't. that code is completely unrelated to the problem you're having so why did you post it?

having said that, you also need to cleanse that id field before querying your database with it. infact i posted some help with that particular issue before.....

http://forums.overclockers.co.uk/showthread.php?t=17793055

as for stripslashes, you'd use that on $_POST data (form input) before adding to the database. again i've given you the code for that. look at the custom "clean" function in your own post here.

http://forums.overclockers.co.uk/showthread.php?t=17807287&highlight=startername_butters

trickards · 28 Nov 2007 at 11:33

marc2003 said:
as for stripslashes, you'd use that on $_POST data (form input) before adding to the database. again i've given you the code for that. look at the custom "clean" function in your own post here.

http://forums.overclockers.co.uk/showthread.php?t=17807287&highlight=startername_butters

From what i understand, if you stripped slashes before database input (SQL execution), you will still be able to exploit the site. Please enlighten me if i've got the wrong end of the stick.

Sic · 28 Nov 2007 at 11:43

I use PDO->prepare() and PDOStatement->execute() to protect against SQL injection, as I understand this is the best way to protect against SQL Injection. If anyone knows a more effective way than this, I'd be interested to hear it

Butters · 28 Nov 2007 at 12:01

marc2003 said:
you wouldn't. that code is completely unrelated to the problem you're having so why did you post it?

having said that, you also need to cleanse that id field before querying your database with it. infact i posted some help with that particular issue before.....

http://forums.overclockers.co.uk/showthread.php?t=17793055

as for stripslashes, you'd use that on $_POST data (form input) before adding to the database. again i've given you the code for that. look at the custom "clean" function in your own post here.

http://forums.overclockers.co.uk/showthread.php?t=17807287&highlight=startername_butters

Ahh no, ok, I thought you stripslashed the return query but yeah I see it makes more sense to do it before it goes into the DB.
Thanks

Sic · 28 Nov 2007 at 12:07

nonononononono

stripslashes when data comes out of the database

addslashes in, stripslashes out.

addslashes adds a backslash before single and double quotes to stop sql injection. you stripslashes the data returned by an sql query to make it presentable

edit:

any user defined (ie. post and get) variable that is used in an sql query in ANY way should be escaped (in this case, addslashes, but you may also want to check out addcslashes for %)

stripslashes is for when you've run a query and you've got an array of data that may have a text/varchar field with ' or " in it - as this will have been converted to \' and \" when it went into the database (by the addslashes that you were so shrewd to do

). you obviously don't want single and double quotes displaying with backslashes everywhere, so use stripslashes.

alternatively, you could htmlentities your input, being sure to use ENT_QUOTES and html_entity_decode with returned data to avoid sql injection

Butters · 28 Nov 2007 at 12:16

OK, now I'm confused. One of you is telling me to clean the data going in with stripslahses and the other is telling me to add slashes? Can ANYONE see why I'm confused?

marc2003 · 28 Nov 2007 at 12:25

Sic said:
<snip>

bah, now i'm confused too. have you not seen

http://uk3.php.net/mysql_real_escape_string

if we took rob's advice of turning off magic quotes, we'd never even have to think about stripslashes.

Sic · 28 Nov 2007 at 12:25

I can see why you are, ignore the guy telling you to stripslashes in!

sql injection comes about by people escaping out of your query (with ' or ") and executing their own. say you've got a login script that runs the following query:

Code:

select * from users where username = "$_POST['username']" and password = "$_POST['password']"

that data has gone straight into the database without being cleaned, so if someone puts as their password:

Code:

"; truncate table users;

(I'm not too hot on how to do this, but you get the idea)

the quote then becomes:

Code:

select * from users where username = "$_POST['username']" and password = ""; truncate table users;"

that's going to make your first query not return any rows, but the next query executed will delete all the data from your table!

if you addslashes the $_POST variables, then the query will be

Code:

select * from users where username = "$_POST['username']" and password = "\"; truncate table users;"

so the password field won't have been exited and the second query that the user tried to run won't be.

marc2003 said:
bah, now i'm confused too. have you not seen

http://uk3.php.net/mysql_real_escape_string

if we took rob's advice of turning off magic quotes, we'd never even have to think about stripslashes.

magic_quotes emulates addslashes but for all input from $_POST/$_GET - it's like a safety blanket so you don't have to addslashes every time - but for portability and necessity (there's no need to escape ALL your $_POST and $_GET, it's relatively resource hungry), magic_quotes is preferably turned off and you addslashes user input when needed

psyr33n · 28 Nov 2007 at 12:38

Inquisitor said:
Code:

foreach ($input as $key => $value) { $input[$key] = strip_magic_quotes($value); }

array_map() is busy laughing at you. :cool:

marc2003 · 28 Nov 2007 at 12:47

Sic said:
<snip>

still

marc2003 said:
have you not seen

http://uk3.php.net/mysql_real_escape_string