Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

stripslashes( ) and double quotes

Posted on 2003-03-18
5
Medium Priority
?
572 Views
Last Modified: 2013-12-12
Using this code:

reset($_POST);
while(list($key,$val) = each($_POST)){
  if(is_string($val))
    $_POST[$key] = stripslashes($val);
}

double quotes are always removed from my text box entries.  So:

e"

becomes

e

after a POST. Why is that happening? (single quotes and backslashes are fine)

bmh
0
Comment
Question by:bmh777
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:bobsledbob
ID: 8164651

Double quotes are special and usually get converted to %22 by your browser.  (This is similar to spaces getting converted to %20).  Is this why you're experiencing problems?

if you could do something like this, you'd see what's in your $_POST array:

  echo "<pre>\n";
  print_r($_POST);
  echo "</pre>\n";

Also, it never hurts to have:

  error_reporting(E_ALL);

in your script while you're debugging.

Adam
0
 

Author Comment

by:bmh777
ID: 8169115
I'm using:

reset($_POST);
echo "<br><pre>POST Superglobal Array<br>";
var_dump($_POST);
echo "</pre>";

to see what's in the array. Every thing is fine in the array. The form entry:

e"

is stored in the POST array as

e"

but is displayed as

e

This happens in both IE 6 and NN 6.

I think I do have error_reporting set to E_ALL. How do I check?

bmh
0
 
LVL 2

Expert Comment

by:bobsledbob
ID: 8169249

What's the code that you're using to display e" ??

I'm thinking you've got a problem where you're echoing your post output into an html tag that doesn't like quotes.  You should probably try to display e" first by running it through the htmlentities() function:

echo htmlentities($_POST[$key], ENT_QUOTES);

Ie. I'm guessing you have code like this, right?

echo "<option value=\"" . $_POST[$key] . "\">" . $_POST[$key] . "</option>\n";

If so, then the HTML produced from your e" example will be:

<option value="e"">e"</option>

or some such nonsense.

the point is, you'll want it to look like this:

<option value="e&quot;">e&quot;</option>

which the htmlentities function will do for you.

Post the code which you're using to display $_POST[$key] with as well as your resulting HTML (view the source to see).  Using NN6+, the source will be colorized so that you can see your html errors better.

I think you can just do this to see which error reporting level you're at:

echo error_reporting();  // ie call the function without an argument.  however, i'm just guessing here.

however, you can set error_reporting(E_ALL); at any time which will guarentee you're seeing all of the error messages coming from your script.

0
 

Author Comment

by:bmh777
ID: 8172276
reset($_POST);
while(list($key,$val) = each($_POST)){
  if(is_string($val))
    $_POST[$key] = stripslashes($val);
}

extract($_POST);

<tr>
  <td height="15" bgcolor="#F0F8FF"></td>
  <td height="15" colspan="3" valign="top" bgcolor="#F8F0D8">
    <input type="text" name="first_name" value="$first_name">
    <input type="text" name="middle_name" value="$middle_name" > 
    <input type="text" name="last_name" value="$last_name"></td>
</tr>

I'm using var_dump($_POST) for debugging only. So the echo isn't the problem. I enter "e"",  click submit, and "e" is re-POSTed to the text box. As I said this is baffling because "e'" and "e/" are returned correctly.

php.ini settings
------------------
magic_quotes_gpc=On
magic_quotes_runtime=Off
magic_quotes_sybase=Off
0
 
LVL 2

Accepted Solution

by:
bobsledbob earned 300 total points
ID: 8174895

my last message correctly identified the problem.  Look at your html source code and see what you're getting when you enter e"

For instance, if you have set first_name to e" , then your rendered html code is going to look like this:

<input type="text" name="first_name" value="e"">

Get it?  the quote that you've supplied is going to end the 'value' attribute of your input text box.  As far as the html that you've generated is concerned, you've got too many quotes " in your tag.

modify your while loop to:

while(list($key,$val) = each($_POST)){
 if(is_string($val))
   $_POST[$key] = htmlentities(stripslashes($val), ENT_QUOTES);
}

and you should be fine.  


please read the PHP manual page:

http://www.php.net/manual/en/function.htmlentities.php

this gives you information on the function that will escape special html characters, such as "

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question