Problem with syntax in PHP str_replace

PHP
#1

Hi I am trying out some code from the internet for a secure login, one of the functions seems to contain a syntax error in a line that reads -

$url = str_replace("'", ''', $url);

The whole function is -

function esc_url($url) {
 
    if ('' == $url) {
        return $url;
    }
 
    $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
 
    $strip = array('%0d', '%0a', '%0D', '%0A');
    $url = (string) $url;
 
    $count = 1;
    while ($count) {
        $url = str_replace($strip, '', $url, $count);
    }
 
    $url = str_replace(';//', '://', $url);
 
    $url = htmlentities($url);
 
    $url = str_replace('&amp;', '&', $url);
	
    $url = str_replace("'", ''', $url);
 
    if ($url[0] !== '/') {
        // We're only interested in relative links from $_SERVER['PHP_SELF']
        return '';
    } else {
        return $url;
    }
}

I have to admit I don’t yet understand the full code, but there is definitely a syntax error in the line mentioned. If I can sort that out I can continue with my understanding and learning - thanks guys

#2

What are you trying to do there? You can’t wrap a single quote in a pair of single quotes.

#3

To be honest, I am not completely sure either :grin: As I said It is a secure login script I found on the net. The desription of the function they give is -

This next function sanitizes the output from the PHP_SELF server variable. It is a modification of a function of the same name used by the WordPress Content Management System.

I can comment out the line and the whole script works OK. But I am not sure if that will create another problem. It seems they are trying to replace single quotes in the url with something but I am not sure with what or why. I was hoping someone had some advice or comments.

#4

Perhaps they are trying to replace single-quotes with double-quotes, and the line should read

$url = str_replace("'", '"', $url);

but if it’s a URL, would either character be valid there?

1 Like
#5

The fact that the code uses $_SERVER[‘PHP_SELF’] tells me that the “tutorial” is either old or poorly written. Best to show us the link to it.

trying out some code from the internet

More often than not you will run across old, insecure, or poorly written code just grabbing something at random from the internet. Be careful and understand the code before you implement it, especially for a “Secure"Login” code.

1 Like
#6

Well, let’s at least walk you through what it DOES. You can then figure out whether it’s a good idea to use it (though as benanamen points out… probably not.)

function esc_url($url) {

Define a function, esc_url, that takes one parameter, $url.

   if ('' == $url) {
        return $url;
    }

If the URL was empty, return that empty string; we’re done here.

$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
Get rid of any characters that are not:
alphabet characters,
the numbers 0-9,
the symbols -~+_.?#=!&;,/:%@$|*’()
the latin-1 characters corresponding to the hex-value range 80-FF. This is often called the “Extended ASCII Characters”.
(the |i indicates that the search should be case-insensitive, hence not needing to specify both a-z and A-Z.)

$strip = array('%0d', '%0a', '%0D', '%0A');
    $url = (string) $url;

Setting up some variables for later use.

$count = 1;
    while ($count) {
        $url = str_replace($strip, '', $url, $count);
    }

Recursively strip out anything in the $strip array from the URL. Repeat until you didnt remove anything.

For example, one of the elements of $strip is “%0d”. If, however, I wrote my url to be “%0%0dd”, running str_replace once would remove the inner %0d, replace it with a “”, and cause the string to just be “%0d”.

$url = str_replace(';//', '://', $url);
Change the semicolon to a colon in the URL’s protocol definition.

$url = htmlentities($url);
For some reason, we now convert special characters in the url to html entities.

$url = str_replace('&amp;', '&', $url);
Remember the last line? Yeah, undo it for ampersands.

$url = str_replace("'", ''', $url);
This was probably supposed to replace single quotes with double quotes, as droop points out. But they flubbed it up.

 if ($url[0] !== '/') {
        // We're only interested in relative links from $_SERVER['PHP_SELF']
        return '';
    } else {
        return $url;
    }

If the first character of the URL is a /, it’s trying to refer to the root folder of the domain we’re currently on. The script doesnt want to play with those, so it returns the empty string if it finds one. If it starts with anything else, the URL is relative to the current script’s directory, so we return the URL.

This isn’t actually correct; a URL that begins with, say, http://, is not relative to the current page; they’re absolute URL’s. But the script doesnt seem to mind those, for whatever reason.

1 Like
#7

Wow ! thanks, so much for such assistance - especially m_hutly

and to benanamen

https://getcodify.com/create-secure-login-script-php-mysql/

Yes the code was published a while ago but I do not know if it has been updated at any point. It is not my intention to use it live in its current form but I was hoping to get it working and through research update each element to be properly secure. I don’t like the fact that is uses javascript, particularly for encryption.

I really want to develop a secure login, basic but secure. There are so many aspects to consider as well as individual methods and opinions. I did not want to draw the obvious and deserved negative comments a question such as ‘How do I write a secure login system?’ since I know that’s a short question with a long answer. So I thought I would get something going and work my way through asking for assistance only when necessary.

Any advice for a starting point would be great, opinion based is fine for me at this stage.

Maybe if I get it started as a project, I could share it here and people could contribute and I could help build a resource that others could use or refer to, what do you guys think, would that be appropriate or useful for this site and members?

Anyway, help so far has been awesome, thanks again guys.

#8

Cheers, thats all I could think maybe, it works like that I guess, but like you say is what it does needed :grin:

All I can think is they are trying to prevent some kind of redirection or calling from another location for hacking attempts - maybe?