Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Questions about htmlspecialchars + stripslashes
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> PHP
Author Message
JRSweets
Worker
Worker



Joined: Aug 06, 2004
Posts: 192
PostPosted: Thu Feb 24, 2005 11:40 am Reply with quote
Does the follow code so the same thing? Just wanted to be sure. Thanks.

Code:
$quote = str_replace("\'","''",$quote);


$quote = preg_replace(array('#&(?!(\#[0-9]+;))#', '#<#', '#>#'), array('&amp;', '&lt;', '&gt;'),$quote);


Code:
$quote = htmlspecialchars(stripslashes($quote));
 
View user's profile Send private message
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496
PostPosted: Thu Feb 24, 2005 12:15 pm Reply with quote
The function ya_fixtext() in CNB YA uses a replace like that and it causes problems on some servers in with php in CGI mode no matter what the magic quotes are on/off.

What we are going to do instead in the next version is add 2 functions that test for the magic quotes on/off and if off addslashes or stripslashes depending on what we're doing.

Code:



/* This should be run on every non int val returned from the db */


   function CNBYA_stripslashes($var) {


   if ( !get_magic_quotes_gpc() ) {


      return( stripslashes($var) );


   } else {


      return $var;


   }


}





/* This should be run on every non int val saved to the db */


/* it is run in ya_fixtext automatically */


function CNBYA_addslashes($var) {


   if ( !get_magic_quotes_gpc() ) {


      return( addslashes($var) );


   } else {


      return $var;


   }


}


I think we've run into about 3 people who were affected by this so far but it was very frustrating for those 3 people.

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
JRSweets
PostPosted: Thu Feb 24, 2005 12:42 pm Reply with quote
Yeah I get confused by these things sometimes.

I was once told that:
Code:
$var = str_replace("\'","''",$var); 


$var = preg_replace(array('#&(?!(\#[0-9]+;))#', '#<#', '#>#'), array('&amp;', '&lt;', '&gt;'),$var);


Is a security thing to check user input.

However I see that phpbb uses code similar to this when the user inputs data in there profile and other places:
Code:
$var = htmlspecialchars(stripslashes($var));


I think the preg_replace and the htmlspecialchars do the same thing, but I am not sure about the rest.

So I was just wondering if these two sets of code do the same thing.
 
sixonetonoffun
PostPosted: Thu Feb 24, 2005 1:11 pm Reply with quote
Yes and probably faster or no one would bother.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> PHP


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©