If it was in php, you would do:
string stripslashes ( string str)
Returns a string with backslashes stripped off. (\' becomes ' and so on.) Double backslashes are made into a single backslash.
CGI is a mystery to me... but you might want to search google for cgi remove slashes or cgi strip slashes...
In perl, one option is:
$line =~ y/[,'"()<>]//d;
will strip out these unwanted characters from your line
it was php
and stripslashes works perfectly - doh!
wow, i am constantly amazed by these forums and the willingness to help, that took about 5 minutes to get an answer.
In PHP this is related to the Magic Quotes option. The stipslashes function (as mentioned above) will fix it. In general I always turn Magic Quotes off in php.ini since it's more problems then it's worth (for me anyway).
this will be my first foray into programming, and now that the script works, i spent most of yesterday looking at possible security issues - mostly to do with checking variable types and / or content using istype and eregi, etc.
is the use of magic quotes also a possible hole?
and something that has been puzzling me is:
i update the database using a textarea and input fields. some of the text is in foreign language with accents and all - and yet php or mysql automatically converts these to their html special codes - is this an automatic feature? is this something to do with magic_quotes?
at the moment i do not use htmlspecialchars anywhere in my script, either for inserting or displaying data?
sorry for convoluted question ;-)
Magic quotes shouldn't be a hole - but it can be a right pain as you have to have stripslashes every where - plus its not actually ANSI Sql ('which just repeats it''s single quotes instead').
I usually turn it off too. I use htmlentities($str,ENT_QUOTES) instead.
If you are worried about security then you should also consider turning off register_globals (which judging by your code is currently on). It can be a major security hole and most php hosts now turn it off by default.
You would then access the variable from your input by using either $_GET['var'] or $_POST['var'] as appropriate.
(not just a dab hand at css i see :-)
i have register_globals off - that was one of first things i checked after yesterdays' security investigations.
i'll have a look at turning off magic quotes too, as i can imagine in the future it might be more appropriate.
p.s. any idea how mysql or php automatically converts é to é when reading out data from db? it is a fantastic function but have never read about it anywhere and have done nothing conciously to enable it. just curious.
Sorry I don't have much experiance with forgein language chars. Though I have never had anything change "&" to "&" unless I did a url_encode or something like that.
i have just turned off magic quotes and am now using htmlentities() which encodes everything very nicely!
thanks all for help
Good to hear.