SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 29
  1. #1
    SitePoint Addict frankiehots's Avatar
    Join Date
    Jan 2002
    Location
    U.S.A. *Blue State*
    Posts
    289
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Stripslashes Question

    I am using stripslashes() to remove backslashes from emails that are sent through a form submission. The function is doing the trick, but the one thing I wonder is what if someone actually wants to enter a backslash. Not that it is all that common for someone to use a backslash, but is there a way to preserve backslashes that were actually intended?

  2. #2
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well yes i am doing the same thing
    here is the function i am using
    PHP Code:
     function clearStr($str)
             {
                 if(
    get_magic_quotes_gpc())
                 {
                     
    $str stripslashes($str);
                 }
                 
    $str escapeshellcmd($str);
                 return    
    mysql_escape_string($str);
             } 
    just remember you use get_magic_quotes_gpc() if the information is coming from a form inputted by user or else it is going to strip the slashes which are not there and i got the same error

    hope this is what you want

  3. #3
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by frankiehots
    I am using stripslashes() to remove backslashes from emails that are sent through a form submission. The function is doing the trick, but the one thing I wonder is what if someone actually wants to enter a backslash. Not that it is all that common for someone to use a backslash, but is there a way to preserve backslashes that were actually intended?
    You should only apply stipslashes to already escaped strings. Actually, the only purpose of stipslashes is to recover data damaged by "magic quotes".

  4. #4
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you have cleaned a string and that magic_quotes_gpc was on, then you must strip slashes. Other than that, you're safe.

    Check the stickied thread in this forum, there are some interesting thoughts on magic_quotes_gc in the first post by DrLarryPepper.

    Here is the function used to virtually disable magic_quotes_gpc:

    PHP Code:
    function strip_magic_quotes($arr){

        foreach (
    $arr as $k => $v){
        
            if (
    is_array($v)){
            
               
    $arr[$k] = strip_magic_quotes($v); 
                
            }else{ 
            
               
    $arr[$k] = stripslashes($v); 
            }
        }

        return 
    $arr;
    }

    if (
    get_magic_quotes_gpc()) {

        if (!empty(
    $_GET))    { $_GET    strip_magic_quotes($_GET);    }
        if (!empty(
    $_POST))   { $_POST   strip_magic_quotes($_POST);   }
        if (!empty(
    $_COOKIE)) { $_COOKIE strip_magic_quotes($_COOKIE); }

    Include that at the top of every page and chill

  5. #5
    SitePoint Addict frankiehots's Avatar
    Join Date
    Jan 2002
    Location
    U.S.A. *Blue State*
    Posts
    289
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Below is the script I was using with stripslashes in it. I'm not sure if I am using stripslashes in the wrong way, but it does work. Of course if someone actually enters a backslash, it removes that too.

    PHP Code:
    <?
    // Set Variables
    $incoming_fields array_keys($_POST);
    $incoming_values array_values($_POST);

    // Set email introduction
    $message "This message was received from a submission on "$HTTP_REFERER ." \n\n";

    // Load email contents 
    for ($i 0$i count($incoming_fields); $i++)

        if(
    $incoming_fields[$i] != "rec_mailto")
        {
            if(
    $incoming_fields[$i] != "rec_subject")
            {
                if(
    $incoming_fields[$i] != "rec_thanks")
                {
                    if(
    $incoming_fields[$i] != "opt_mailto_cc")
                    { 
                        if(
    $incoming_fields[$i] != "opt_mailto_bcc")
                        {
                            
    $message .= "$incoming_fields[$i]:\n$incoming_values[$i]\n\n";
                            
    $message stripslashes($message);
                        }
                    }
                }
            }
        }
    }

    // Send email
    mail("webmaster@example.com""Someone Has Contacted You Through example.com"$message"From: donotreply@example.com(Example.com Email Form) \r\n" "Reply-To: donotreply@example.com \r\n" "X-Mailer: PHP/" phpversion());

    // Forward to thank you page
    header("Location: thankyou.php"); 

    ?>

  6. #6
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well... I might totally miss the point but.... don't we use stripslashes when dealing with data retrieved from a database?
    Why using it for an email?


  7. #7
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the only reason i can think of is frankiehots is assuming magic_quotes are on and just striping the slashes off added by magic_quotes on before sending the email for which data is received from user.

    i am not sure though. this surprised me too.

  8. #8
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Anyways, if you use the code I posted above you should be quiet and be able to focus on other stuff

  9. #9
    SitePoint Wizard Young Twig's Avatar
    Join Date
    Dec 2003
    Location
    Albany, New York
    Posts
    1,355
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    \ when submitted via form will (if magic_quotes is on) be turned into \\ which, when slashes are stripped, is turned back into \.

  10. #10
    SitePoint Addict frankiehots's Avatar
    Join Date
    Jan 2002
    Location
    U.S.A. *Blue State*
    Posts
    289
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    magic_quotes are on as here is what I show on my phpinfo() page:

    magic_quotes_gpc On On
    magic_quotes_runtime Off Off
    magic_quotes_sybase Off Off

    Just to make sure I have totally explained everything, I am basically having customers fill out a simple email contact form and then my script emails the results to me. The form sends information to the script that I posted earlier using method="POST". Maybe I am taking a simple contact from and making it harder than it has to be. Then again the form has worked fine, it's just the stripslashes that I wondered about.

  11. #11
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And it's about stripslahes that the code above is

    Here is the deal 'gpc' in magic_quotes_gpc stands for GET POST COOKIES. Does it ring a bell?



    You're using POST as your method. Then guess what, magic quotes will be added because of magic_quotes_gpc.

    The code I posted above will check if magic quotes gpc is turned on, if yes, it will strip all the slashes added automatically, this virtually disabling it. This allow you to control data. Add slahes yourslef and include the above script at the top of each page, you'll be fine.

    That way, your site will be portable. I mean, if you have to move it to another server with magic:quotes_gpc turned off, you won't have to change a line to your code.

    'hope that helps

  12. #12
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i agree with duuudie portability should be kept in mind while coding. i am not a code guru though lol. just a point popped out

  13. #13
    SitePoint Guru
    Join Date
    Sep 2004
    Location
    NY, USA
    Posts
    712
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rather than stripping slashes automatically all the time, I prefer an equally portable but (IMO) more useful solution.

    Note that MAGIC_ON is a constant that I define elsewhere which simply holds a boolean value of whether or not magic quotes is on. the argument $escape is a boolean expressing whether or not you want the array to be escaped.

    Using this method... I can either escape or unescape the $_GET or $_POST as needed, regardless of the PHP settings.

    PHP Code:
    function backslash(&$arr$escape)
    {
      if(
    $escape && !MAGIC_ON):
        foreach(
    $arr as $k => $v):
          switch(
    gettype($v)):
            case 
    'string' 
              
    $arr[$k] = addslashes($v);
              break;
            case 
    'array' :
              
    backslash($arr[$k], true);
          endswitch;
        endforeach;
      endif;
      if(!
    $escape && MAGIC_ON): 
        foreach(
    $arr as $k => $v):
          switch(
    gettype($v)):
            case 
    'string' 
              
    $arr[$k] = stripslashes($v);
              break;
            case 
    'array' :
              
    backslash($arr[$k], false);
          endswitch;
        endforeach;
      endif;        

    backslash($_POST, false); // assures that the POST array will not be escaped regardless of system settings
    backslash($_POST, true); // assures that the POST array will be escaped regardless of system settings

  14. #14
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The biggest problem with "magic quotes" is that you never know what is already escaped and what isn't. This is especially painful when you need to mix "tainted" (e.g. from request) and "safe" strings (e.g. from database):

    Imagine you're inserting into db, say, 10 values, 5 of them come from request and others come from another database table or are just created in your code. Are you sure you can always properly escape them (and NOT "overescape")? And (just to make life interesting) imagine you need to send this data back to browser after inserting...

    Therefore, I think the best practice would be to get rid of magic_quotes. Two simple rules:

    -- magic_quotes_gpc, _runtime etc = off in php.ini
    -- (for portability reasons) check get_magic_quotes_gpc() and stripslashes if it's true as shown above
    http://www.sitepoint.com/forums/show...57&postcount=4

  15. #15
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you can use a .htaccess file with following content:
    Code:
    <IfModule mod_php4.c>
    	php_flag magic_quotes_gpc off
    </IfModule>
    But well... if you ever have to move your site to a host that doesn't allow .htaccess (that would be a real surprise but you never know...) then you would have to work to fix that problem...

    So just go with my code or cringer's one

  16. #16
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    umm just a question. if we don't have access to .htaccess can't we use ini_set('magic_quotes_gpc',0);
    IS IT RIGHT???

  17. #17
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Unfortunately no. magic_quotes are added BEFORE your script (inclusive that "ini_set" statement) gets executed.

  18. #18
    SitePoint Guru
    Join Date
    Sep 2004
    Location
    NY, USA
    Posts
    712
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, I used to simply keep magic quotes turned off via .htacess. However my host keeps threatening to move us to "phpsuexec" or somehting like that, in which case it is impossible to set PHP flags in .htaccess.

    On the other hand, each account should be able to have it's own custom php.ini file.

    But until that gets all straightened out, I'll just kepp using the portable method where you explicity set an array to be escaped or unescaped

  19. #19
    SitePoint Addict frankiehots's Avatar
    Join Date
    Jan 2002
    Location
    U.S.A. *Blue State*
    Posts
    289
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by duuudie
    And it's about stripslahes that the code above is

    Here is the deal 'gpc' in magic_quotes_gpc stands for GET POST COOKIES. Does it ring a bell?


    You're using POST as your method. Then guess what, magic quotes will be added because of magic_quotes_gpc.

    The code I posted above will check if magic quotes gpc is turned on, if yes, it will strip all the slashes added automatically, this virtually disabling it. This allow you to control data. Add slahes yourslef and include the above script at the top of each page, you'll be fine.

    That way, your site will be portable. I mean, if you have to move it to another server with magic:quotes_gpc turned off, you won't have to change a line to your code.

    'hope that helps
    I know that the 'gpc' in magic_quotes_gpc stands for GET POST COOKIES. Is there a way to do my contact form without using method=POST?

  20. #20
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well frankiehots i read this kinda post somewhere in sitepoint and i don't quite remember where and the answer i read was via sockets. now i don't know how it works. just wanted to mention it . not sure if this is what you meant

  21. #21
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by frankiehots
    I know that the 'gpc' in magic_quotes_gpc stands for GET POST COOKIES. Is there a way to do my contact form without using method=POST?
    Why would you that?

    Honestly, you're making things more complicated than they are.

    Everyone does what I suggested above, or something similar.


  22. #22
    SitePoint Addict frankiehots's Avatar
    Join Date
    Jan 2002
    Location
    U.S.A. *Blue State*
    Posts
    289
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well what I had done is added a check for magic_quotes_gpc like this:

    if(get_magic_quotes_gpc()) //make code portable
    {
    $message = stripslashes($message);
    }

    This just makes my code portable, but I still have the problem where if the user actually wanted to use a backslash in the message they were sending it would get removed.

    I was getting ready to try the code you recommended duudie, but I noticed one thing that seemed weird. You call your function "strip_magic_quotes" from within the function itself. Can that be done?

  23. #23
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes it's a recursive function.


  24. #24
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well its called "recursion" and yes it can be done. just make sure it doesn't go endless which is more often the case in recursion

  25. #25
    SitePoint Addict frankiehots's Avatar
    Join Date
    Jan 2002
    Location
    U.S.A. *Blue State*
    Posts
    289
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    duuudie, I am a dummy. I should have tried your "strip_magic_quotes" function yesterday. It did both things I was trying to do- it stripped the magic quotes slashes and if the user actually entered backslashes it preserved those. Thanks duuudie.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •