SitePoint Sponsor

User Tag List

Results 1 to 17 of 17
  1. #1
    SitePoint Addict Mr Jojo's Avatar
    Join Date
    May 2007
    Posts
    322
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Return() PHP Bug??

    I have a function that does this:

    PHP Code:
    function make_safe($variable) {

    $variable.='pila';

    return 
    $variable;

    And i found out that when return() returns the string, all quote marks like "" and '' are slashed, for example:

    $a = 'And god said "You shall not lie..."';
    return $a

    The result will be 'And god said \"You shall not lie...\"'

    How can i bypass something like this?

  2. #2
    SitePoint Member
    Join Date
    Apr 2006
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Very very odd, i can't preproduce that:

    Code:
    C:\Documents and Settings\Kalle Sommer Nielsen>php -r "function test(){ $a = 'And god said \"You shall not lie...\"'; return($a); } echo(test());"
    And god said "You shall not lie..."

  3. #3
    SitePoint Addict Mr Jojo's Avatar
    Join Date
    May 2007
    Posts
    322
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try this:

    PHP Code:
    <?php

    if($_POST['descricao']!=NULL){
    $a $_POST['descricao'];

    Function 
    test($variable)
    {
    $variable.=' \'and never...';
    return 
    $variable;
    }

    echo 
    '<form method="POST" action="mmm.php">

    <textarea rows="5" name="descricao" cols="38">'
    .test($a).'</textarea>
    <input type="submit" value="ok" name="B1">
    </form>'
    ;}
    else{echo 
    '<form method="POST" action="mmm.php">
    <textarea rows="5" name="descricao" cols="38">And God said "you shall not lie" never</textarea>
    <input type="submit" value="ok" name="B1">
    </form>'
    ;}

    ?>

    Save this php code as mmm.php or other name*

    *If you change the php name from mmm to another thing make sure you change where it says:
    PHP Code:
    <form method="POST" action="mmm.php">

    ...

    <
    form method="POST" action="mmm.php"
    And have fun pressing the Ok button sometimes then

  4. #4
    SitePoint Enthusiast jcarouth's Avatar
    Join Date
    Sep 2006
    Location
    College Station, TX
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    is magic quotes on? check your phpinfo() output.

  5. #5
    SitePoint Enthusiast BurakUeda's Avatar
    Join Date
    Apr 2005
    Posts
    81
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Most probably your magic quotes are on.

    Try this:
    PHP Code:

    <?php

    if($_POST['descricao']!=NULL){
    $a stripslashes($_POST['descricao']);

    Function 
    test($variable)
    {
    $variable.=' \'and never...';
    return 
    $variable;
    }

    echo 
    '<form method="POST" action="mmm.php">

    <textarea rows="5" name="descricao" cols="38">'
    .test($a).'</textarea>
    <input type="submit" value="ok" name="B1">
    </form>'
    ;}
    else{echo 
    '<form method="POST" action="mmm.php">
    <textarea rows="5" name="descricao" cols="38">And God said "you shall not lie" never</textarea>
    <input type="submit" value="ok" name="B1">
    </form>'
    ;}

    ?>
    But I recommend you to turn magic quotes off.


    Edit: Bah! jcarouth beat me to it
    H u m o
    Uncensored Forums for Intelligent People

  6. #6
    SitePoint Addict Mr Jojo's Avatar
    Join Date
    May 2007
    Posts
    322
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    magic_quotes_gpc On On
    magic_quotes_runtime Off Off
    magic_quotes_sybase Off Off


    Did you try the script i gave?

  7. #7
    SitePoint Addict Mr Jojo's Avatar
    Join Date
    May 2007
    Posts
    322
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by BurakUeda View Post
    Most probably your magic quotes are on.

    Try this:
    PHP Code:

    <?php

    if($_POST['descricao']!=NULL){
    $a stripslashes($_POST['descricao']);

    Function 
    test($variable)
    {
    $variable.=' \'and never...';
    return 
    $variable;
    }

    echo 
    '<form method="POST" action="mmm.php">

    <textarea rows="5" name="descricao" cols="38">'
    .test($a).'</textarea>
    <input type="submit" value="ok" name="B1">
    </form>'
    ;}
    else{echo 
    '<form method="POST" action="mmm.php">
    <textarea rows="5" name="descricao" cols="38">And God said "you shall not lie" never</textarea>
    <input type="submit" value="ok" name="B1">
    </form>'
    ;}

    ?>
    But I recommend you to turn magic quotes off.


    Edit: Bah! jcarouth beat me to it
    What happens if i host my php files in a server with magic_quotes on and i cant changem them to off?


    Edit: Your script works but what happens if the user puts some slashes into the text intencionally? Will they disappear ? or only the ones before a quote mark?

  8. #8
    SitePoint Addict Mr Jojo's Avatar
    Join Date
    May 2007
    Posts
    322
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    LOL

    Now this is my make_safe function for text input:

    PHP Code:
    function make_safe($variable) {

    $variable addslashes(stripslashes(trim(htmlspecialchars($variable))));

    return 
    $variable;

    Should i take that stripslashes() from there and use it only when showing the input data to the user or leave it in the make_safe function?

  9. #9
    SitePoint Enthusiast BurakUeda's Avatar
    Join Date
    Apr 2005
    Posts
    81
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Put this at the beginning of the script:
    PHP Code:
    <?php
    ini_set 
    ("magic_quotes_gpc","0");
    ?>
    H u m o
    Uncensored Forums for Intelligent People

  10. #10
    SitePoint Addict Mr Jojo's Avatar
    Join Date
    May 2007
    Posts
    322
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by BurakUeda View Post
    Put this at the beginning of the script:
    PHP Code:
    <?php
    ini_set 
    ("magic_quotes_gpc","0");
    ?>
    That function ini_set comes handy in some case, nice!

    But i putted it at the begining of the script, and the slashs still appears, and it makes me think that maybe the html textbox or the form itself sends the data with slashed quotes..

    Strange, maybe i'll use stripslashes.

    Here's the code where i tried ini_set()


    PHP Code:
    <?php
    ini_set 
    ("magic_quotes_gpc","0");

    if(
    $_POST['descricao']!=NULL){
    $a $_POST['descricao'];

    Function 
    test($variable)
    {
    $variable.=' \'and never...';
    return 
    $variable;
    }

    echo 
    '<form method="POST" action="mmm.php">

    <textarea rows="5" name="descricao" cols="38">'
    .test($a).'</textarea>
    <input type="submit" value="ok" name="B1">
    </form>'
    ;}
    else{echo 
    '<form method="POST" action="mmm.php">
    <textarea rows="5" name="descricao" cols="38">And God said "you shall not lie" never</textarea>
    <input type="submit" value="ok" name="B1">
    </form>'
    ;}

    ?>

  11. #11
    SitePoint Wizard bronze trophy devbanana's Avatar
    Join Date
    Apr 2006
    Location
    Pennsylvania
    Posts
    1,736
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    magic_quotes_gpc cannot be set with ini_set, only in .htaccess or in php.ini.

    If your PHP is installed as an Apache module, put this in .htaccess:

    Code:
    php_flag magic_quotes_gpc off
    What are you trying to make your function do to make a value safe? There are different tyeps of security.

    First you have security when sending values to the database, for which you should use mysql_real_escape_string().

    You also have security when outputting user-inputted data, for which you should use htmlentities() or htmlspecialchars().

    You may need to validate data in other ways. What type of data can each field accept? Are there certain characters disallowed? It should be considered on a case-by-case basis.

  12. #12
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by BurakUeda View Post
    Put this at the beginning of the script:
    PHP Code:
    <?php
    ini_set 
    ("magic_quotes_gpc","0");
    ?>
    You can't disable magic-quotes that way, since it's happening before the PHP-script runs. You have to edit php.ini or use a htaccess file (Which may or may not work, depending on the servers configuration).

    You can undo magic quotes, by putting this in the top of your script:
    PHP Code:
    if (get_magic_quotes_gpc()) {
        function 
    stripslashes_array($array) {
            return 
    is_array($array) ? array_map('stripslashes_array'$array) : stripslashes($array);
        }
        
    $_COOKIE stripslashes_array($_COOKIE);
        
    $_FILES stripslashes_array($_FILES);
        
    $_GET stripslashes_array($_GET);
        
    $_POST stripslashes_array($_POST);
        
    $_REQUEST stripslashes_array($_REQUEST);

    From http://php.net/magic_quotes/

  13. #13
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    The code above to undo magic quotes has a "security issue" so to say, which can be exploited to bring the server down.

    If you send multiple requests with deep multidimensional arrays to the server, it will spend a lot of resources going through those empty arrays making it dead slow for legimite users.

    I cant remember who exactly mentioned this in their speach on a conferance, but I kept a copy of the code we were adviced to use instead in my library.

    PHP Code:
    if (get_magic_quotes_gpc()) {
      
    $in = array(&$_GET, &$_POST, &$_COOKIE);

        while (list(
    $k$v) = each($in)) 
            {
            foreach (
    $v as $key => $val) {
                if (!
    is_array($val)) {
                    
    $in[$k][$key] = stripslashes($val); 
                    
                    continue;
                    }
                
    $in[] =& $in[$k][$key];
                }
            }
            
        unset(
    $in);
        } 

  14. #14
    SitePoint Enthusiast BurakUeda's Avatar
    Join Date
    Apr 2005
    Posts
    81
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    You can't disable magic-quotes that way, since it's happening before the PHP-script runs. You have to edit php.ini or use a htaccess file (Which may or may not work, depending on the servers configuration).

    You can undo magic quotes, by putting this in the top of your script:
    PHP Code:
    if (get_magic_quotes_gpc()) {
        function 
    stripslashes_array($array) {
            return 
    is_array($array) ? array_map('stripslashes_array'$array) : stripslashes($array);
        }
        
    $_COOKIE stripslashes_array($_COOKIE);
        
    $_FILES stripslashes_array($_FILES);
        
    $_GET stripslashes_array($_GET);
        
    $_POST stripslashes_array($_POST);
        
    $_REQUEST stripslashes_array($_REQUEST);

    From http://php.net/magic_quotes/
    Sorry about that.
    Actually I never used ini_set() with magic_quotes_gpc. Always set it from php.ini.

    I checked this table: http://jp.php.net/manual/en/ini.php#ini.list but apparently I skip the line and misread the PHP_INI_PERDIR
    H u m o
    Uncensored Forums for Intelligent People

  15. #15
    SitePoint Addict Mr Jojo's Avatar
    Join Date
    May 2007
    Posts
    322
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you very much guys!
    Helped a lot!

  16. #16
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TheRedDevil View Post
    The code above to undo magic quotes has a "security issue" so to say, which can be exploited to bring the server down.

    If you send multiple requests with deep multidimensional arrays to the server, it will spend a lot of resources going through those empty arrays making it dead slow for legimite users.
    That doesn't make sense to me. Of course it uses some resources, but so does any processing; I would guess that you could crash most smaller sized websites by firing off a multitude of requests. It's hardly a security issue to have inefficient code.

    The code you posted uses a stack based approach, rather than recursion. It's true that this is more efficient, and you can crash the runtime, if you force it to recurse enough times. As far as I know, this won't affect any other running scripts (Except for the resources needed to process that one). It may be, that earlier versions of PHP didn't handle stack overflows too good though.

  17. #17
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    That doesn't make sense to me. Of course it uses some resources, but so does any processing; I would guess that you could crash most smaller sized websites by firing off a multitude of requests. It's hardly a security issue to have inefficient code.

    The code you posted uses a stack based approach, rather than recursion. It's true that this is more efficient, and you can crash the runtime, if you force it to recurse enough times. As far as I know, this won't affect any other running scripts (Except for the resources needed to process that one). It may be, that earlier versions of PHP didn't handle stack overflows too good though.
    It might have been a fix for a specific PHP version issue, god knows there is enough of those.


    For those who did not understand the security threat caused by "unrestricted looping" over user based data it is simple. It makes it possible to perform a "cheap ddos" attack.

    With other words, make the server kneel by feeding it with multiple requests with "lots of data it need to process". By doing that almost all of the servers processing power will be used on the "attack" and the server will be very sluggish for legimite visitors it can possibly even crash.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •