Ben Edwards (lists) wrote:
On Thu, 2005-02-10 at 13:45 +0100, Jochem Maas wrote:
Ben Edwards (lists) wrote:
PS phpsc.net seems to be down, or is the domain wrong?
er yes, oops. as Jeffery pointed out it should have been
phpsec.org. had a brainfreeze sorry.
OK, trying to do a function to remove magic quotes from the post
variable. Something like:-
function remove_magic_quotes( &$array ) {
foreach( $array as $index => $value ) {
if ( is_array( $array[$index] ) ) {
remove_magic_quotes( $array[$index] );
} else {
if ( magic_quotes_runtime() ){
$array[$index] = stripslashes( $value );
there is a missing closing brace here. also the test for magic_quotes_runtime()
is better of outside the loop... no point in recursing if magic_quotes_runtime() returns false.
also you might want to use a return val instead of pass-by-reference.
also adding this to a .htaccess file in the root dir of your app might be easier:
php_value magic_quotes_runtime 0
}
}
}
But not quite there. Any ideas?
Ben
Ben
On Thu, 2005-02-10 at 13:28 +0100, Jochem Maas wrote:
Ben Edwards (lists) wrote:
Am I correct in thinking Magic Quotes automatically adds quotes to all
posted variables, therefore if you are displaying post variables on a
form you have to remove the quotes. They are only needed if you are
actually inserting/updating into the database. Whether magic quotes
are on or not you do not actually have to do anything to data fetched
from the database. If magic quoted are not on you have to add slashes
before you add to the database.
you get the gist of it.... bare in mind _many_ people including actual php
developers avoid magic_quotes like the plague cos its a PITA.
basically your input to the DB should be properly escaped (there are special
functions for this also, depending on your DB, I use alot of firebird and its capable
of parameterized queries - making it impossible to do SQL injection if you use
the parameterized markup).
AND anything you output to the browser should be sanitized properly as well...
goto phpsc.net and read everything there - its a good/solid introduction to
writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed by Chris
Shiflett - a veritable goldmine of php related knowledge.... do yourself a favor...
read his stuff :-) any questions that arise from reading that are welcome here :-)
There is also another function you need pass stuff through if you are
going to use it in an <input type=text or <textarea>, what is that
function?
htmlentities()
Ben
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
