| Author |
Message |
Darrell3831
Worker
Joined: Feb 18, 2004
Posts: 244
|
 Posted:
Tue Feb 24, 2004 10:10 pm |
|
What's the theory behind add and strip slashes?
From what I can see you add slashes then insert the stuff into the database.
After you read it back you strip slashes before you use it in your program.
There's a magic_quotes php variable that complicates things though... Dosent it depend on that?
Will I need a test to see if magic_quotes are on or not?
Code:/* validate Strings */
function validateString(&$string, $nohtml=0) {
$string = (get_magic_quotes_gpc() ? $string : addslashes($string));
if ($nohtml) {
$string = strip_tags($string);
}
return $string;
}
|
This would add the slashes, now I can stick the variable into the database safely, right????
Thanks,
Darrell |
_________________
http://www.psy-center.com |
|
 
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Tue Feb 24, 2004 11:16 pm |
|
You got it! Not all sites have the magic quotes on, so you must do a test first. |
| |
|
|
|
|
Darrell3831
|
| Posted:
Wed Feb 25, 2004 7:26 am |
|
It complicated the way I wrote things. I might have to redesign the code. Maybe I coded it poorly and can come up with a better way.
Sometimes I pass the strings back and fourth between functions. I'll need some other test in my validators to see if it's a pass between functions or the first time it's being used....
I've looked and looked in other code very few people seem to be taking all these precautions. I'm sure having trouble trying to guess at how to create these validators, what with not knowing how attacks happen.
You guys assume I just know, but honestly I don't know they exploit these functions. If I could find examples I could test what I'm doing.. I hate guessing... lol
thanks,
Darrell |
| |
|
|
|
|
Raven
|
| Posted:
Wed Feb 25, 2004 7:34 am |
|
|
|
|
|
Darrell3831
|
| Posted:
Wed Feb 25, 2004 7:49 am |
|
You've been very helpful Raven. The problem lies with me. I simply don't know what I'm doing. 
What might be common knowledge to another person, I may not have stumbled accross yet. *shrugs*
The extent of my knowledge lies within 3 php books. Each devotes one chapter to mySQL Querries. None of them talk about security issues. They seem to just assume that your on a secure site or something. I don't get it intuitively. I need examples. lol Then I can write a function and start testing, I test a lot........ lol
Without clear examples of what I need to trap out of my strings I'm kinda lost. If I had to I could sit down and write a C like function that stepped through my string one character at a time and took everything out that had to be out. My problem is not knowing all the ways I could get in trouble, what to leave and what to take out.
Most of my strings are simple. Straight text. No html, no php... I'm not haveing any trouble with these strings.
However, I need one of my strings to allow the html in the admins allowable list. This is the one that's causing me grief..
Thanks for the link, I'll read it now.
I've already read all the stuff in the online php manual about addslashes, and stripslashes...
Darrell |
| |
|
|
|
|
Raven
|
| Posted:
Wed Feb 25, 2004 7:59 am |
|
Can you post a detailed and specific example of what you are attempting to do? |
| |
|
|
|
|
Darrell3831
|
| Posted:
Wed Feb 25, 2004 8:28 am |
|
I get variables from three sources like most everyone else I assume.
a database, user input, and internal code manipulation.
I actually have some code working now, but without any validation. Last week I began trying to secure it. I was trying to use the internal functions in main.php, but I can't figure them out.
This partially worked for strings that were not supposed to have html.
Code:$title=FixQuotes(filter_text($title, "nohtml"));
|
But it's not 100% right and I could not figure out why after about 8 hours or searching. For one thing, FixQuotes does not do the get_magic_quotes_gpc() test. It just starts doing the ereg. I had concerns about that. Furthermore, the filter_text does NOT strip out words that are in the disallow list. I was never able to figure that out either. The no html seemed to work, but I never finished testing what would happen with php commands.... all these issues from the easy one.....
I have one user input string that needs to allow html. It's a large body of text or html their choice. I may have to add a check box for them to tell which it is (text, html) but I had hoped I could figure it out on my own...
Code:$description=FixQuotes(filter_text($description));
|
This has all the problems already mentioned, plus one more. The backslash seems to be dissallowed in one of those long complex ereg_replace statemetns in main.php. It's striping everything past a back slash.. Even if it's unobtrusive... like in lists where it's not a problem. this / that / the other.
Everything after the first / is stripped out of the string. ?!?!?
I'm in sad shape if I can't even figure out how the internal functions work. 
That's when I desided to try and write my own, at least the one about testing if magic quotes are on or not. I'd still like to use the admins allowed list of html, and dissallowed list of words... It seems to me I should use his list's..
Darrell |
| |
|
|
|
|
Raven
|
| Posted:
Wed Feb 25, 2004 8:34 am |
|
Just a thought -
Have you tried using htmlentities() instead of add/strip slashes for the html stuff (database storage should use add/strip slashes still). |
| |
|
|
|
|
Darrell3831
|
| Posted:
Wed Feb 25, 2004 8:49 am |
|
I have read the php manual about htmlentities(), but I havent messed with it. I've been determined to get the nuke routines to work. Seems like they should.
But when I do the same exact call that say the news module, or the encyclopedia module does, I don't get the same results. I can't see what's different..
Darrell |
| |
|
|
|
|
Darrell3831
|
| Posted:
Thu Feb 26, 2004 6:06 pm |
|
I have gotten a lot closer!
My validators are accepting the allowable html. They are substuting the dissallowable words with the specified substitution character. Single quotes and double quotes seem fine. Forward slashes seem alright.
The last thing I'm having trouble with is the backslash.
It's unconditionally stripped off no matter what. Even when it's alright to leave it there.
Here is right after I read a variable from the database.
Code:$description=(get_magic_quotes_gpc() ? $description : stripslashes($description));
|
Then I allow $description to be edited by admins.
Then this is right before I put it back into the database.
Code:$description=FixQuotes(filter_text($description));
|
It's striping slashes that are in the middle of no where. Like say this \ and \.
filter_text calls many internal functions, check_html() is one of them that strips the disallowed html tags, right off the bat they stripslashes() why are they doing this there? It dosent seem like he should just automatically stip slashes. I still don't understand.
There has got to be a way to make the internal functions work.
Can someone help please?
Sorry,
Darrell |
| |
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Sat Feb 28, 2004 12:11 am |
|
You might check out (if you haven't)
http://sourceforge.net/projects/kses/
They had to write internal functions to reverse odd effects of native functions very much as your describing. Might give you a steer in the right direction to see how they handled it.
I've been playing with it a little tonight and like the way it works. I think all I've left to get into the safe array is text color. |
| |
|
|
|
|
Darrell3831
|
| Posted:
Sat Feb 28, 2004 10:04 am |
|
Thank you!
I've been looking at it a while now. It's very interesting.
Darrell |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Sat Feb 28, 2004 3:40 pm |
|
Now I just have to hack htmlarea so it uses <br> instead of <p> tags or something. The <a href tags are stripped from what little documentation there is looks like this is why. Changes them into <A></A> for me now.
Otherwise it doesn't miss a beat cleans evil just like it claims lol. I feel about as safe with this allowed array as with bbcode. And its as easy or easier to add new tags and attributes aside from the issue above. |
| |
|
|
|
|
Darrell3831
|
| Posted:
Wed Mar 03, 2004 6:01 pm |
|
So his code is GNU General Public License (GPL). Great, ah.. But what exactly does that mean?
I read the license, and don't think that was an easy task! lol
It talks a lot about what you can and can't do to redistribute his code, but I did'nt see anything specifically about using it as an internall part of code that you intend to redistribute.
What exactly must we do to use his code in something were going to redistribute? Is that considered the same as redistributing his code? If I'm reading it right then we are required to keep his documentation and license inside our distribution as well.
*shrugs*
Thanks,
Darrell |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Wed Mar 03, 2004 6:36 pm |
|
My best guess use it all you want just leave the copyright in the header of the file in place.
Though I have no clue how its effected if you distibute under other then GNU/GPL license. I would ask for written permission in that case.
Worst case is they say no. Like I mentioned before the class version is distributed with Geeklog. |
| |
|
|
|
|
Darrell3831
|
| Posted:
Sat Mar 20, 2004 9:52 pm |
|
sixonetonoffun,
In the kses example this is what the allowed HTML array looks like:
Code:$allowed = array('b' => array(),
'i' => array(),
'a' => array('href' => array('minlen' => 3, 'maxlen' => 50),
'title' => array('valueless' => 'n')),
'p' => array('align' => 1,
'dummy' => array('valueless' => 'y')),
'font' => array('size' =>
array('minval' => 4, 'maxval' => 20)),
'br' => array());
|
I was wondering if you knew what this particular element of the array means.
Code: 'dummy' => array('valueless' => 'y')),
|
I read the doc's and I still don't understnad.
| Quote: | 'valueless' checks if an attribute has a value (like <a href="blah">) or not
(<option selected>). If the given value is a "y" or a "Y", the attribute must
not have a value to be accepted. If the given value is an "n" or an "N", the
attribute must have a value. Note that <a href=""> is considered to have a
value, so there's a difference between valueless attributes and attribute
values with the length zero. |
What the hecks dummy?? There's no attribute like that...
Thanks for anything you can offer.
Darrell |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Sun Mar 21, 2004 12:11 am |
|
I'm just as confused about that little bit of the docs as you.
I just used it like this:
Code:
/* KSES array see KSES readme to tweak settings */
$allowed_protocols = array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'gopher', 'mailto');
// KSES allowed tags array
// This is a loose filtering array
$allowed = array('pre' => array('align' => 1),
'strong' => array(),
'hr' => array(),
'div' => array('align' => 1),
'img' => array('alt' =>1, 'src' => 1, 'hspace' => 1, 'vspace' => 1, 'border' => 1),
'table'=> array('align' => 1, 'border' => 1, 'cell' =>1),
'tr' => array('align' => 1),
'td' => array(),
'ul' => array(),
'li' => array(),
'ol' => array(),
'a' => array('href' => 1, 'link' => 1, 'target' => 1, 'title' => 1,
array('minval' => 4, 'maxval' => 100)),
'font' => array('face' => 1, 'style' =>1, 'color' => 1),
array('size' =>
array('minval' => 1, 'maxval' => 36)),
'p' => array('align' => 1),
'b' => array(),
'i' => array(),
'u' => array(),
'em' => array(),
'br' => array());
// End KSES Options
|
Code:
$subject = textFilter(kses(ADVT_stripslashes($subject), $allowed) );
|
Code:
function ADVT_stripslashes( $text )
{
if( get_magic_quotes_gpc() == 1 )
{
return( stripslashes( $text ));
}
return( $text );
}
|
Then I noticed with the textFilter() I had to use FixQuotes or things went haywire. When using
$subject = textFilter(kses(ADVT_stripslashes($subject), $allowed) );
Code:
/* Added for quotes with textFilter(KSES */
function FixQuotes ($what = "")
{
$what = ereg_replace("'","''",$what);
while (eregi("\\\\'", $what)) {
$what = ereg_replace("\\\\'","'",$what);
}
return $what;
}
function textFilter( $str )
{
$str = FixQuotes( $str );
$result = mysql_query( "SELECT word FROM badwords" ) or error( die("Badwords Broke"));
while( $row = mysql_fetch_array( $result ) )
$str = eregi_replace( $row['word'], "\*", $str );
return $str;
}
|
None of which really answer your question sorry I really couldn't make sense of what the author was trying to explain about the valueless Y y. |
| |
|
|
|
|
Darrell3831
|
| Posted:
Sun Mar 21, 2004 8:26 am |
|
Thanks for taking the time to post what you did post. I appreciate the oppertunity to see your allowed array.
You mentioned it getting confused with quotes. I've only made a few texts, but what tests I made it handled them right. In what example input string were you able to confuse it with quotes?
As far as the Code:'dummy' => array('valueless' => 'y')),
|
goes. My best guess is that if hypothetical attribute dummy has a value then it will be stripped from the input string. If it does not have a value it will be allowed in the string.
On the other hand if the flag had been no, I'm assuming it must have a value or it will be stripped.
Darrell |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Sun Mar 21, 2004 9:57 am |
|
When the value 'word' was passed from the database with magicquotes on it wasn't being stripped before. Because 'word' is replacing the original string. I'll have test that a little more maybe thats not the cleanest way to handle it. |
| |
|
|
|
|
Darrell3831
|
| Posted:
Sun Mar 21, 2004 10:11 am |
|
sixonetonoffun,
I hope you don't mind, but I'd like to ask you about your allowed array. I see some things in it that I don't understand the reasoning for.
You've choosen to allow the align attribute for the pre tag.
Code:$allowed = array('pre' => array('align' => 1),
|
I thought things that were in a pre tag were pre-formatted? Would'nt it be bad syntax to allow the align attribute here?
Code:<pre align="right">Pre formatted junk stuff</pre>
|
What reasoning is there to allow align in this instance?
My second question would be about your a tag.
Code:'a' => array('href' => 1, 'link' => 1, 'target' => 1, 'title' => 1,
array('minval' => 4, 'maxval' => 100)),
|
I couldent get this one to work as is. I believe there is a syntax error in the min and max values. In the way your applying them. I'me sorry to say I don't understand it this way either.
From my humble understanding this is a two dimensional array, and your adding the min and max value out of context here. What element of the first array would your min and max value apply to?
This however did work for me.
Code:'a' => array('href' => array('minlen' => 3, 'maxlen' => 50),
// 'link' => 1,
'target' => 1,
'title' => array('minlen' => 4, 'maxlen' => 100)),
|
My last question for the moment is about the link attribute your allowing in the a tag. I've never seen link inside an a tag. Is that something that people do? I kinda work alone. My experience is very limited to what ever I'm trying to do at the moment. I only ever used LINK to add style sheets and stuff.
I'm not nit-picking, honest. I'm just self taught and I want to get this right. It's really important to me. I'd like to understand your reasoning for things.
Thank you for your time.
Sincerely,
Darrell |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Sun Mar 21, 2004 10:43 am |
|
Actually I think it (link) could be removed since there aren't enough attributes to make it usable for anything but maybe title.
Edit: Your right about title min max length Thanks I'll be fixing that one lol. |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Sun Mar 21, 2004 11:01 am |
|
What I don't like is that if max length is exceeded it strips the whole title not just trimming off the length to 100.
Edit: And to wrap it all up I do think align is a proper attribute of <pre at least I know it will work. Is there someplace that says its an illegal attribute?
Edit:
As long as we're at it I cleaned up font size too. If you see anything else feel free to critique away! I went through that faster then I should of and really you've helppd me more then the other way around 
Probably the table attributes need corrections too but I am giong out of town for a couple days so I won't be back for a bit.
So now I have this:
Code:
/* KSES array see KSES readme to tweak settings */
$allowed_protocols = array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'gopher', 'mailto');
// KSES allowed tags array
// This is a loose filtering array
$allowed = array('pre' => array('align' => 1),
'strong' => array(),
'hr' => array(),
'div' => array('align' => 1),
'img' => array('alt' =>1, 'src' => 1, 'hspace' => 1, 'vspace' => 1, 'border' => 1),
'table'=> array('align' => 1, 'border' => 1, 'cell' =>1),
'tr' => array('align' => 1),
'td' => array(),
'ul' => array(),
'li' => array(),
'ol' => array(),
'a' => array('href' => 1, 'target' => 1,
'title' => array('minlen' => 4, 'maxlen' => 100)),
'font' => array('face' => 1, 'style' =>1, 'color' => 1,
'size' => array('minval' => 1, 'maxval' => 7)),
'p' => array('align' => 1),
'b' => array(),
'i' => array(),
'u' => array(),
'em' => array(),
'br' => array());
// End KSES Options
|
|
| |
|
|
|
|
Darrell3831
|
| Posted:
Sun Mar 21, 2004 11:22 am |
|
With respect to your first example of an a tag in the allowable array, if I helped in any way I'm very glad!
As far as the align attribute within a pre tag. That's news to me. I've never seen it before. I actually tried align="right" and nothing happend with my particular browser. We should find that URL on the web and run it through and see if it's WC3 compliant or whatever they call it. I don't mind doing it if you have the URL to test it?
Setting a maxlen to small can be a problem, because as you've pointed out, it completly strips the tag if it's exceeded. In the case of an image tag's src attribute this would be bad.
On the other hand, it offers a lot of protection form attacks where they are trying to overflow the buffer.
I'm happy to keep maxlen set moderatly high, document it, and live with it.
I'm going to go thru every tag and attribute and manually test all possibilities I can think of.
I'll post my array when I'm more comfortable with it.
Before I run off to tinker with this though, I do see one problem with your font size.
You have it set appropriately for min and max interger values of 1 to 7, but it's also valid to say +1 or -1 etc..
Perhaps we'll have to settle for a minlen of 1 and maxlen of 2 for that attribute.
Darrell |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Sun Mar 21, 2004 2:31 pm |
|
In my usuage size values are strictly limited (htmlArea) to 1-7 where actually 1 = 8px and 7 = 36px. I get a +0 when trying to adlib with 8 or higher. Beats stripping the tag completely like maxlen did At least that was my goal to get the two to jibe. My maxlen seems short but the total allowed chars each post is only 1000 I think I'll have to double check that. But that was why I kept it trimmed down. I might reconsider that and increase the overall post allowed size its a text column so it would be ok to a much greater value.
<pre align= documentation if that helps at all?
Shows align attribute
http://www.jqjacobs.net/web/tables.html
Shows width attribute
http://www.willcam.com/cmat/html/pformat.html
I wouldn't call this proof positive its proper, but at least it shows someone else thinks it is. |
| |
|
|
|
|
dcasmr
Worker
Joined: Feb 06, 2004
Posts: 147
|
| Posted:
Mon Apr 10, 2006 8:01 pm |
|
Hi,
I have a problem with backslashes or sometimes repeated quotes being added to my text in french where there is a quote. A way back, someone suggested a fix that can be added inside a module to remove the effect of backslahes or additional characters being added in the text. For example, typing C'est will yield C"est or sometimes C\'est. Really weird stuff.
Does anyone know how to add extra information inside index.php or the module so that it will not "translate" the characterers?
Thanks |
| |
|
|
|
|
|
|
. Sorry if I haven't elaborated enough. See the links in this article 
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
