SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Addict agentforte's Avatar
    Join Date
    May 2007
    Toronto, ON, Canada
    0 Post(s)
    0 Thread(s)

    Cool Which escape to use, how to strip

    so you want to learn how to strip...

    I found a post on another site stating:
    "escaping depends on the output target, e.g. SQL/shell/HTML"

    I never thought of it this way, and it makes it much easier to decide
    how to handle user submitted data in the PHP scripts. here are some
    escaping functions I came across (probably everyone here has)

    (escapes some characters that addslashes does not... i.e. the null character)

    (Remove harmful characters for system calls.. ones that execute
    operating-system commands from within your scripts, such as system(),
    exec(), and passthru())

    similar to escapeshellargs(), but it only escapes special characters
    for the underlying operating system. Better choice: escapeshellargs()

    pg_escape(). (escapes quotes and apostrophies with double quotes or
    apostrophies. I forget the specific place to use this... if using php and
    MySQL is it useful? if anyone can enlighten me, please do)

    Here is something that I have not found as much detail about on the net:
    How to strip

    htmlspecialchars() should only be used when outputting to a page (not before going into the database)

    stripslashes() will remove slashes added by addslashes() or mysql_real_escape_string()

    How do you strip things off of strings that used pg_escape() or
    escapeshellargs(), or escapeshellcmd()?

    A better question might be: Do they ever need to be returned?
    (for example, if the code is escaped and used as a system command,
    will the command ever be saved and output later? if so, do we want
    to strip that output, and where would it be output to?)

    I'll try to find out more and give some more stripping lessons later,
    for all those... 'keen' programmers.

    Take care,


  2. #2
    SitePoint Addict agentforte's Avatar
    Join Date
    May 2007
    Toronto, ON, Canada
    0 Post(s)
    0 Thread(s)

    Another stripping lesson already!

    Do you do a nice strip when using php mailer?

    This is a large exploit people don't normally think about.

    Let's say I was using your contact form, and I typed in the following in any of your input fields (not including the message body):

    Buy My Stuff! I'm and annoying spammer!\nBcc:

    even worse, lets say I had an email list, and I didn't want to get caught by the spam cops. I could use a script which repeated this for each email in my list. (I wouldn't do that. I got my iron ring for a reason.)

    Now, to help you out, here is how you can strip for that sexy php mailer:

    $from = $_POST["sender"];
    if (eregi("\r",$from) || eregi("\n",$from)) {
    die("Invalid Input!");

    Use this for ALL thefields except the actual message. For something extra spicy, you can also strip colons, since they are needed to add stuff to the mail header.


    -Frank Forte


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts