| 6:13 pm on May 1, 2003 (gmt 0)|
If it was in php, you would do:
string stripslashes ( string str)
Returns a string with backslashes stripped off. (\' becomes ' and so on.) Double backslashes are made into a single backslash.
CGI is a mystery to me... but you might want to search google for cgi remove slashes or cgi strip slashes...
| 6:14 pm on May 1, 2003 (gmt 0)|
In perl, one option is:
$line =~ y/[,'"()<>]//d;
will strip out these unwanted characters from your line
| 6:21 pm on May 1, 2003 (gmt 0)|
it was php
and stripslashes works perfectly - doh!
wow, i am constantly amazed by these forums and the willingness to help, that took about 5 minutes to get an answer.
| 12:24 am on May 2, 2003 (gmt 0)|
In PHP this is related to the Magic Quotes option. The stipslashes function (as mentioned above) will fix it. In general I always turn Magic Quotes off in php.ini since it's more problems then it's worth (for me anyway).
| 7:49 am on May 2, 2003 (gmt 0)|
this will be my first foray into programming, and now that the script works, i spent most of yesterday looking at possible security issues - mostly to do with checking variable types and / or content using istype and eregi, etc.
is the use of magic quotes also a possible hole?
and something that has been puzzling me is:
i update the database using a textarea and input fields. some of the text is in foreign language with accents and all - and yet php or mysql automatically converts these to their html special codes - is this an automatic feature? is this something to do with magic_quotes?
at the moment i do not use htmlspecialchars anywhere in my script, either for inserting or displaying data?
sorry for convoluted question ;-)
| 9:30 am on May 2, 2003 (gmt 0)|
Magic quotes shouldn't be a hole - but it can be a right pain as you have to have stripslashes every where - plus its not actually ANSI Sql ('which just repeats it''s single quotes instead').
I usually turn it off too. I use htmlentities($str,ENT_QUOTES) instead.
If you are worried about security then you should also consider turning off register_globals (which judging by your code is currently on). It can be a major security hole and most php hosts now turn it off by default.
You would then access the variable from your input by using either $_GET['var'] or $_POST['var'] as appropriate.
| 11:30 am on May 2, 2003 (gmt 0)|
(not just a dab hand at css i see :-)
i have register_globals off - that was one of first things i checked after yesterdays' security investigations.
i'll have a look at turning off magic quotes too, as i can imagine in the future it might be more appropriate.
p.s. any idea how mysql or php automatically converts é to é when reading out data from db? it is a fantastic function but have never read about it anywhere and have done nothing conciously to enable it. just curious.
| 1:00 pm on May 2, 2003 (gmt 0)|
Sorry I don't have much experiance with forgein language chars. Though I have never had anything change "&" to "&" unless I did a url_encode or something like that.
| 1:35 pm on May 2, 2003 (gmt 0)|
i have just turned off magic quotes and am now using htmlentities() which encodes everything very nicely!
thanks all for help
| 1:49 pm on May 2, 2003 (gmt 0)|
Good to hear.