StripSlashes()

Forum Moderators: coopster

Message Too Old, No Replies

StripSlashes()

aspr1n

1:54 am on Dec 11, 2002 (gmt 0)

I am writing to a MySQL db, a field which contains (intentionally) executable PHP/HTML code, which is all addslashes() before being written.

However when I StripSlashes after getting it back, it removes my 'amp;' entity from '&' causing XML validators to fail on '&' characters. Why would SS remove these chars?

I am also now worried that I might be stripping something else that's just waiting to bite me!

Cheers,

asp

lorax

2:18 am on Dec 11, 2002 (gmt 0)

Hola,
You should use htmlspecialchars() first and then use stripslashes()

[php.net...]

aspr1n

10:20 am on Dec 11, 2002 (gmt 0)

Hi Lorax,

Now I'm really confused. Your suggestion does work, but I did look at this originally but the PHP doc says:

This function is useful in preventing user-supplied text from containing HTML markup, such as in a message board or guest book application.

Which is exactly what I don't want to do as the user supplied text *must* contain html markup.

Firstly, I don't get why SS would remove these chars anyway as the manual says:

Returns a string with backslashes stripped off. (\' becomes ' and so on.) Double backslashes are made into a single backslash.

Secondly, now when I:

echo htmlspecialchars( StripSlashes( $row["xml_content"] ),ENT_COMPAT );

It doesn't touch my &s anymore but I was expecting it to convert my '<' '>' characters into < > as the documentation describes but it doesn't.

I was going to write to the db with htmlspecialchars() so I don't call it on read, but I don't get quite what it's doing now.

asp

lorax

1:01 am on Dec 12, 2002 (gmt 0)

Hello Aspr1n,
Reverse the order of htmlspecialchars and stripslashes - like so

stripslashes(htmlspecialchars($row["xml_content"]))

This will execute the htmlspecialchars first and then the strip the leftover slashes. If you stripslashes first, you're likely to disable your html chars.

If you read below the line you quoted you'll see that this function turns & into an & which is exactly what you're looking for. Remember, we're applying this function on the output of a MySQL query. SO the users should still be able to write to the db protected by addslashes().

Regarding you <> you may want to look into using htmlentities instead:

If you require all HTML character entities to be translated, use htmlentities() instead.

aspr1n

3:19 pm on Dec 12, 2002 (gmt 0)

Hi Lorax,

Sorry I didn't explain myself properly:

I was retrieving PHP/HTML code from a DB to be edited in a form field.

My problem was when I StripSlashes() to push into the form field for editing, I was loosing some of my entities I had added, ie & was becoming just &.

The reason I didn't want to use htmlspeciachars() was it had to be returned as executable code rather than entities.

Eg. If I had:


<?php
$var = '<p>&pound <?php echo StripSlashes( $prod_row["p_retail"] );?><br />&euro <?php echo StripSlashes( $prod_row["p_euro"] );?></p>';
echo htmlspecialchars( $var );
?>

The output is:

<p>&pound<?php echo StripSlashes( $prod_row["p_retail"] );?><br />&euro <?php echo StripSlashes( $prod_row["p_euro"] );?></p>

Which is no good for a PHP engine.

What I have found is it appears to be just in form fields where StripSlashes turns & to &, so by htmlspecialchars() into my form field this seems to preserve the £ & € entities (for XML validation).

The screwy part is, it doesn't do a conversion as the example above produces - the only conclusion I can come to is because it is a form field.

asp

StripSlashes()

aspr1n

lorax

aspr1n

lorax

aspr1n

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week