Every time a POST is made I get escaped characters.
\ -> \\
' -> \'
" -> \"
I have a multistep form, which transmits the data from one form to another. I save the values with prepared statments in the database. The values in the database currently look like Paul\'s House. User should have the possiblity to use single and double quotes in their string.
This is a simple example demonstrating the escaping effect:
<?php
echo $_POST['value'];
?>
<form action="form.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="value" value="Paul's House">
<input type="submit" value="Next">
</form>
Why or who escapes the string? What is the correct way for handling data over multiple forms? What is the correct way for saving it in the database? Should I use stripslashes() or I'm opening a big security hole?
Looks like you have Magic Quotes turned on.
http://www.php.net/manual/en/security.magicquotes.disabling.php
Check that out for how to disable.
You must turn off the magicquotes in server , otherwise you should very careful about on/off status of the magicquotes .
Related
Ok so i've learned a bit of PHP and tried making a simple application but i am not sure is my webpage secure from xss and other such attacks .
My PHP CODE
<?php
$title=$keywords=$description="";
$valid_er="";
if($_SERVER["REQUEST_METHOD"] == "POST"){
if(empty($_POST['title'])){
$valid_er="has-error";
}
else{
$title="<title>".test($_POST["title"])."<title>";
}
$keywords='<meta name="keywords" content="'.test($_POST["keywords"]).'" />';
$description='<meta name="description" content="'.test($_POST['description']).'" />';
}
function test($ci){
$ci=htmlentities($ci);
$ci=stripcslashes($ci);
return $ci;
}
?>
And MY HTML FORM
<form method='post' class='form-group' action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<label> Your Title </label> <input placeholder="Your websites title" type="text" name="title" class='form-control' class='form-group-item'/></br>
<label> Keywords </label> <input placeholder="Your keywords separated by comma " type="text" name="keywords" class='form-control' class='form-group-item'/></br>
<label>Description </label> <textarea placeholder="A nice description about your website;" name="description" class='form-control'></textarea></br>
<input type="submit" class='btn btn-info'>
</form>
I just wanted to know am i vulnerable to cross site scripting , because i don't think only using
htmlspecialchars()
will protect me .
I just wanted to know am i vulnerable to cross site scripting
No, you are not, and just using htmlspecialchars will protect you against XSS in most cases (if you use double quotes around attributes and follow the rules in my last paragraph).
You don't need to use stripcslashes, and you don't need to encode your own <, etc.
Do note however that htmlspecialchars does not encode a single quote (') by default. I mention this because for your form tag, you mainly use single quotes, and just double quotes for the action,which is a really good idea, as otherwise your code would be vulnerable to XSS. To avoid this problem, you can use htmlspecialchars($string, ENT_QUOTES, 'UTF-8');, with which single quotes would also be encoded. You still can't just omit using any quotes (if you do that, preventing XSS becomes a lot more complicated, as you would need to escape all characters with which you can break out of that context, which include space, +, etc), but with this, you can use double or single quotes and be safe.
For more information, check out this site about XSS prevention (it tells you where this kind of encoding is not enough; you should never put user input inside <script>, <style>, HTML comments, attribute names, or tag names).
I have a value ($title) that is stored in MySQL and is being called, using PHP, to be inserted into the value of an input element. The problem is when a single or double quote is used, the value of the input field terminates at that point.
The behavior that should occur is the input field should be populated EXACTLY with the data in the $title variable, so that when the form is updated, the quotes remain intact.
Here is the PHP:
<?php
echo '<input type=text size=91 name=title value="'.stripslashes($title).'">';
?>
Now, here is a typical problem: if the value of $title
this is a test " of what occurs with a quote
and I echo the variable, it echos correctly to
this is a test " of what occurs with a quote
However, when used in an input field, it renders as:
<input value="this is a test " of what occurs with a quote">
The first " terminates the value of the field, causing the new value to be:
this is a test
I'm confused as to how to get the proper value to display and be submitted with the form, when that variable is displayed and updated.
Try using htmlspecialchars. This will escape the " in yout title.
value="'.htmlspecialchars($title).'">
Put a \ before the quote.
echo "This is a \" test";
Change this line.
<input type=text size=91 name=title value="'.stripslashes($title).'">
To
<input type=text size=91 name=title value=\''.stripslashes($title).'\'>
Why are you running stripslashes()? Running addslashes() (the opposite function) would fix this particular issue, but a better approach would be to use htmlentities($title, ENT_COMPAT, 'utf-8') everywhere you output the title (or, if your structure allows, when the data is stored).
After you perform stripslashes you should use htmlspecialchars to escape the special characters. This avoids the mess the characters like ",', etc might otherwise create.
<input type=text size=91 name=title value="'.htmlspecialchars(stripslashes($title)).'">
The above snippet will only fix it for display purpose. But when the submit happens you must use either mysql_real_escape_string() or $pdo->quote() to escape the special characters before you run the SQL query.
I am accepting a preset input from another .php file
$Instructor=$_POST["Instructor"];
when I echo $Instructor, the OUTPUT is Dr. Doom (which is correct)
When i pass it through a fieldset I only get the (Dr.) and not the (Doom). I need for the entire name to get passed. Can any one please help. I am NEW TO PHP, so please try to explain in simple form. Thank you very much ahead of time.
here is the code i am using.
echo "<fieldset>
<Legend> Contact Information </Legend>
PROFESSOR: <inputname='Professor' type= 'text' value=$Instructor maxlength='35'
disabled='disabled'> </fieldset>"
Sincce you've omitted quotes on HTML attribute, only characters up to the first whitespace will be interpreted in your html. Quote the attribute, and escape it properly with htmlentities() using the ENT_QUOTES option:
echo "<fieldset ... ... value='" . htmlentities($Instructor, ENT_QUOTES) . "' ... </fieldset>";
Note that without the escaping, it is vulnerable to cross-site scripting, in addition to potentially breaking the output markup.
You need to put quotes around attribute values that contain spaces. In your case they need to be escaped, because the PHP string literal also uses them:
echo "... value=\"$Instructor\" ...";
Variable sanitization aside, you forgot to quote this:
value=$Instructor
And mind the space here:
type= 'text'
By the way, There's a nice syntax in PHP called "heredoc" if you want to use blocks of HTML text.
$str = <<<EOF
<fieldset>
<Legend> Contact Information </Legend>
PROFESSOR: <inputname='Professor' type='text' value='$Instructor' maxlength='35' disabled='disabled'>
</fieldset>
EOF;
What's nice is the text can stay human readable and still support inline variable interpolation (putting "$something like this")
I have two issues
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon />
So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
So I'm asking: How can I fix the above issues, seeming to have to do with special characters, despite already having them escaped (and I even tried applying the escape function again)? If there is any sample code I should supply, please let me know, but I've explained what I am doing to each input.
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon /> So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
This has nothing to do with submitting the data. You are trying to use ' in an attribute value that is delimited with ' characters.
Use htmlspecialchars($data, ENT_QUOTES)
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
In data encoded as application/x-www-form-urlencoded & means "Start of new key=value pair" and + means "A space". You need to urlencode($data).
First, it helps to properly contain HTML attributes, like so:
<input type="text" value="Hello there I'm Jon" />
I'm using double quotes, notice the trailing quote on the value, which your original didn't have. If you then wrap the value in htmlentities() you'll be able to properly display/save " or any other value in your form.
While double quotes aren't strictly necessary in HTML5 (' will work just fine in most cases), they are at least encouraged. If you're using some variant of XHTML, they are required.
A lazy but fast way to do things here is use urlencode() on the contents of the fields before they are posted, and the urldecode() on the other side.
It's not the proper way, or the nice way ... but it works if you don't want to write some specific code to handle the cases.
I'm wondering why php adds a backslash when i remove double quotes.
<input type="text" name="number" id="number" />
<input type="button" name="button" id="button" value="Button" />
Say they user enters the value 5-1/2" and i'm passing it to a processing page via jquery's .get method.
$('#button').click(function(){
$.get('determine.php?number='+$('#number').val(),function(data){
$('#response').html(data);
});
});
Here is my processing page.
determine.php
$number = $_GET['number'];
$number = str_replace(array('"', "'"), '', $number);
echo $number;
//echos 5-1/2\
Why is the backslash there?
It doesn't add them when you remove the slash, it automatically escapes them in the query string parameters when the magic_quotes_gpc directive is enabled (and it is, by default pre 5.30). It did this as a security precaution, so that the data could be safely used in a database query. You can disabled them by changing the setting in your php.ini file, see http://www.php.net/manual/en/security.magicquotes.disabling.php.
You can also use stripslashes to remove them:
$number = str_replace(array('"', "'"), '', stripslashes($number));
An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.
User input gets escaped by magic quotes.
http://www.php.net/manual/en/function.get-magic-quotes-gpc.php
Elegant weapons for a more... civilized age.
You possible have bad magic quotes turned on. If that's the case, you should simply disable them from php.ini.
See http://php.net/manual/en/security.magicquotes.php
Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
When on, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically.
In short, magic quotes is a feature in PHP where quote characters are automatically escaped with the \ character.
Here are some solutions for turning off magic quotes: http://www.php.net/manual/en/security.magicquotes.disabling.php