Problem with newlines in comments

PHP
1

Hello all,

I have just found that some \r
newline characters are getting into the comment field of a table.

This is what I am seeing from a display of the field: Ο\r
\r
Π

I have been testing different variations of the following code but it doesn’t seem to work.


$msgtxt = $row["msgtxt"];

    $bad   = array('/^\\r\
*/', "\\r\
", "\	", "\
", "\\r");
    $msgtxt = str_replace($bad, " ", $msgtxt);

    $msgtxt = preg_replace("/n[\\r\
]/", " ", $msgtxt);
    
    $msgtxt = preg_match_all("~\\s[\	|\\r|\
]~", " ", $msgtxt);

    $msgtxt = str_replace("\\r", " ", $msgtxt);
    $msgtxt = str_replace("\
", " ", $msgtxt);

    $msgtxt = preg_replace("~\\r~", " ", $msgtxt);    
    $msgtxt = preg_replace("~\
~", " ", $msgtxt);

First of all, I am trying to figure out how they got into the field while at the same time trying to get this to work to use in the following function.


function remove_headers($string) {
    $headers = array( "/to\\:/i", "/from\\:/i", "/bcc\\:/i", "/cc\\:/i", "/Content\\-Transfer\\-Encoding\\:/i", "/Content\\-Type\\:/i",
    "/Mime\\-Version\\:/i" );
    $string = preg_replace($headers, '', $string); return strip_tags($string);
}    //    end function

Anyone have any possible solutions?

2

It is necessary to figure out the problem, before finding any solution.
The problem is not obvious here.

You’ve got this string “Ο\r
\r
Π” appeared in your data? Well, it is some of your PHP code to blame for it. You have to find this code.
Your goal is not to eliminate these characters, but to find the code that causes it.

3

Hello Shrapnel_N5,

Thank you for replying.

I have the following input routine working to “hopefully” cleanse incoming data.



    $_GET = array_map('trim', $_GET);
    $_POST = array_map('trim', $_POST);
    $_COOKIE = array_map('trim', $_COOKIE);
    $_REQUEST = array_map('trim', $_REQUEST);

    //if(get_magic_quotes_gpc()):
    if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
        $_GET = array_map('stripslashes', $_GET);
        $_POST = array_map('stripslashes', $_POST);
        $_COOKIE = array_map('stripslashes', $_COOKIE);
        $_REQUEST = array_map('stripslashes', $_REQUEST);
    }
    //endif;
    $_GET = array_map('mysql_real_escape_string', $_GET);
    $_POST = array_map('mysql_real_escape_string', $_POST);
    $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);

if (empty($msgtxt)) { 
     $msgtxt = "No comment."; 
}

Nothing else is done to this field, except for the previous function.

What else might be causing this?

4

mysql_real_escape_string would make \r
from line breaks, as it necessary for SQL query.
So, you ought to use this function only for data, that goes to SQL query, not for every variable that came to your script

5

Okay, thank you.

6

You can leave trim and stripslashes things at the top of your scripts (doubt for trim, but usually it won’t harm anything)
But mysql_real_escape_string should be used only for it’s purpose - for escaping data that goes to mysql query.
Any string that goes to mysql query, should be escaped by mysql_real_escape_string and enclosed in quotes.

Note that escaping lasts only until query is executed. You’ll never see these characters again.

7

I have removed those 3 lines now. I was confused about the issues of injection that I have been reading about and thought that they might serve as additional protection there.

8

Yes, mysql_real_escape_string() function must be used. Obligatory.
But in the proper place.