I am using an eCard program here to send invitations for an event and get the following notice:
Notice: Array to string conversion in
/nfs/c07/h01/mnt/108712/domains/christmasnativity.org/html/ecard/include/common.inc.php
on line 32
Here is the code from lines 29 to 33:
/* Clean up request: Remove magic quotes, if the setting is enabled. */
if (get_magic_quotes_gpc()) {
foreach($_REQUEST as $name => $value)
$_REQUEST[$name] = stripslashes($value);
}
Any clues what may be causing this error notice?
Thanks.
One of the values in $_REQUEST is an array. This can happen if a variable uses a name such as foo[].
You can avoid running stripslashes on arrays like this
if (get_magic_quotes_gpc()) {
foreach($_REQUEST as $name => $value)
if(!is_array($value)){
$_REQUEST[$name] = stripslashes($value);
}
}
but then the values inside an array $value won't get stripped.
A more complete solution would be something like this:
if (get_magic_quotes_gpc())
{
strip_slashes_recursive($_REQUEST);
}
function strip_slashes_recursive(&$array)
{
foreach ($array as $key => $value)
{
if (is_array ($value))
{
strip_slashes_recursive ($array[$key]);
}
else
{
$array[$key] = stripslashes($value);
}
}
}
Like Ignacio Vazquez-Abrams says, one of the $value's is an array. You can use the following to see what is an array (assuming you are/can output the results to somewhere you can see them):
$_REQUEST[$name] = stripslashes($value);
var_dump($value);
Related
I am using this php code to remove backslashes in my array:
$data[] = $_POST;
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$data = stripslashes_deep($data);
but I still have a backslash before the slashes like this:
"2''1\/2"
Can you please help remove this backslash in php.
Thanks
This will work, to remove \
$value= preg_replace('#\\\\#','',$value);
function stripslashes_deep($item){
return stripslashes($item);
}
if(is_array($data)){
$value=array_map('stripslashes_deep', $data);
}
else{
$value=stripslashes($data);
}
I found it's much simpler using a foreach
foreach ($data as $key=>$value) {
$data[$key] = stripslashes($value);
}
instead of the conditional operator and the recursive call..
Been experiencing this error for a little while and can't find any conclusive answers on fixing it. I have tried removing quotes from $key in line 59 but to no avail.
if (!get_magic_quotes_gpc()) {
if (isset($_POST)) {
foreach ($_POST as $key => $value) {
$_POST['$key'] = trim(addslashes($value));
}
}
if (isset($_GET)) {
foreach ($_GET as $key => $value) {
$_GET[$key] = trim(addslashes($value));
}
}
}
LINE 59
$_POST['$key'] = trim(addslashes($value));
Error On Screen
Notice: Array to string conversion in
C:\Inetpub\vhosts\domain.com\httpdocs\library\config.php on
line 59
Check if it is array before you assign it
$_POST[$key] = !is_array($value) ? trim(addslashes($value)) : '';
// ^ Remove the quotes here // ^ Do something
// Instead of
// Using empty
According to PHP.net the function addslashes() takes a String type as parameter. Check what type $value is. If it is an array itself then addslashes() may be throwing the error.
PS:
You should use $_POST[$key] rather than $_POST['$key'] if you want to use the value of $key as the index of the $_POST array.
I think you should use this code $_POST[$key] = $value; instead of using this $_POST['$key'] = trim(addslashes($value));
or make a check if the value is in array or not
Do this:
foreach ($_POST as &$value) {
$value = is_array($value) ?
array_map(function($x) { return trim(addslashes($x)); } :
trim(addslashes($value));
}
However, this could still fail if any of your parameters are multi-dimensional arrays. As mentioned in the comments, the right solution is to use prepared queries with parameters, rather than interpolating strings into SQL.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
What are the best PHP input sanitizing functions?
A while back I found this, what I thought to be great, snippet in someones code to filter POST and GET data from injections.
function filter($data) { //Filters data against security risks.
$data = trim(htmlentities(strip_tags($data)));
if(get_magic_quotes_gpc()) $data = stripslashes($data);
$data = mysql_real_escape_string($data);
return $data;
}
foreach($_GET as $key => $value) $filterGet[$key] = filter($value);
foreach($_POST as $key => $value) $filterPost[$key] = filter($value);
And I've been using it ever since. But today, while sending an array through ajax I got tons of errors. Most of them say strip_tags() expects parameter 1 to be string, array given in...
What the best way to filter data? All this data is going to a database. But what about cases where it isn't going to a database?
Here is the function you need:
function filter($data) { //Filters data against security risks.
if (is_array($data)) {
foreach ($data as $key => $element) {
$data[$key] = filter($element);
}
} else {
$data = trim(htmlentities(strip_tags($data)));
if(get_magic_quotes_gpc()) $data = stripslashes($data);
$data = mysql_real_escape_string($data);
}
return $data;
}
As clear by the error message, this is happening for cases where an array is passed via GET/POST. You can parse each value of the array for such cases.
foreach($_GET as $key => $value){
if(is_array($value)){
foreach($value as $val){
$filterGet[$key][] = filter($val);
}
}
else{
$filterGet[$key] = filter($value);
}
}
What you should do is first check to see if $data is the correct format that you need it to be in. What you describe is that an array was passed into the $data parameter of your function, and PHP needs you to break it down into a string. Some extra logic is needed such as:
function filter($data) {
if(is_array($data)) {
foreach($data as $key => $value) {
// Do stuff...
}
} else {
// Do stuff...
}
}
You should check if the input is array. If so, loop it and strip tags for every array member, if not, then just strip tags for the input.
you can use array_walk
<?php
function wsafe(&$value,$key)
{
return safe($value);
}
function safe($value)
{
if(is_array($value))
{
foreach($value as $key=>$val)
{
$value[safe($key)] = safe($val);
}
}
else
{
$value = trim(htmlentities(strip_tags($value)));
if(get_magic_quotes_gpc()) $value = stripslashes($value);
$value = mysql_real_escape_string($value);
}
}
array_walk($_POST,'wsafe');
array_walk($_GET,'wsafe');
I'm trying to use a foreach loop to search for word in $_POST, but it doesn't work? Help is preciated.
$unsafeWords = array('content-typ','bcc','cc');
foreach ($_POST as $key => $input) {
foreach ($unsafeWords as $value) {
$_POST = str_ireplace($value, "", $input) ;
}
}
Don't overwrite the $_POST array with a string
$unsafeWords = array('content-typ','bcc','cc');
foreach ($_POST as $key => $input) {
foreach ($unsafeWords as $value) {
$_POST[$key] = str_ireplace($value, "", $input) ;
}
}
though I dislike overwriting the original $_POST array and would prefer to build a new array of cleaned values
Note that you don't need to loop the $unsafeWords array, but can pass an it as an array directly to str_ireplace()
EDIT
Example of using the $unsafeWords array as an argument for str_ireplace() rather than looping through it with foreach() and calling str_ireplace() for each entry.
$unsafeWords = array('content-type','bcc','cc');
foreach ($_POST as $key => $input) {
$_POST[$key] = str_ireplace($unsafeWords, "", $input) ;
}
and you're not replacing with a space, you're replacing with an empty string (effectively removing the unsafe strings from your $_POST vars)
EDIT 2
I guess it's OK to put this inside the
foreach loop as well?
Not quite... if you're just adding it as an extra line within the loop, you'll overwrite your previous substitutions.
Do it as:
$unsafeWords = array('content-type','bcc','cc');
foreach ($_POST as $key => $input) {
$_POST[$key] = str_ireplace($unsafeWords, "", filter_var($input, FILTER_SANITIZE_STRIPPED)) ;
}
You are trying to overwrite $_POST (which is an array) with string values. The correct way is this:
foreach ($_POST as &$input) {
$input = str_ireplace($unsafeWords, array(), $input) ;
}
The above code also takes advantage of a couple other features (foreach with a reference as loop variable, str_ireplace accepting arrays) to be much shorter.
Not completely clear what you're asking but this:
$_POST = str_ireplace($value, "", $input) ;
definitely won't do what you expect. You probably want:
$_POST[$key] = str_ireplace($value, "", $input) ;
Try this instead (missing $key at the assignment)
$unsafeWords = array('content-typ','bcc','cc');
foreach ($_POST as $key => $input) {
foreach ($unsafeWords as $value) {
$_POST[$key] = str_ireplace($value, "", $input) ;
}
}
Aside form that foreach problem, it seems very insufficient validation in terms of mail injection protection.
For the email field I'd use some regexp-based or filter_var() solution.
For the name and subject fields I'd suggest to encode it according to RFC rules.
So, I believe that safe code could be (in case of utf-8 encoded email):
if ($email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){
$subject = "=?UTF-8?B?".base64_encode($_POST['subject'])."?=";
$from = "From: =?UTF-8?B?".base64_encode($_POST['name'])."?= <$email>\r\n";
$message = str_replace("\n.", "\n .", $_POST['text']);
mail('me#example.com',$subject,$message,$from);
}
If you want to remove indexes from the $_POST array that are specified in the $unsafeWords, then you went on with the wrong approach. Use unset() function to remove the index you don't want or simply set it to
foreach($_POST as $key => $input)
{
if(in_array($input, $unsafeWords)
{
$_POST[$key] = null; // or $_POST[$key] = '' or unset($_POST[$key]
}
}
html form code-
<td width="75">
<input name="txtQty[]" type="text" id="txtQty[]" size="5"
value="<?php echo $ct_qty; ?>" class="box" onKeyUp="checkNumber(this);">
when I submit form I calls following script-
if (!get_magic_quotes_gpc()) {
if (isset($_POST)) {
foreach ($_POST as $key => $value) {
$_POST[$key] = trim(addslashes($value));
}
}
if (isset($_GET)) {
foreach ($_GET as $key => $value) {
$_GET[$key] = trim(addslashes($value));
}
}
}
error-
Warning: addslashes() expects parameter 1 to be string, array given in C:\xampp\htdocs\shizin\products\library\config.php on line 53
I think this script is being used just to trim input but I dont know what this addslash function does and why this error coming.
If you apply this code on an int value then you remove these function like this
if (!get_magic_quotes_gpc()) {
if (isset($_POST)) {
foreach ($_POST as $key => $value) {
$_POST[$key] = $value;
}
}
if (isset($_GET)) {
foreach ($_GET as $key => $value) {
$_GET[$key] = $value;
}
}
}
The whole approach is wrong.
Upon receiving user supplied data you have to strip slashes, added by magic quotes, not add.
About array approach it says 2 answers already posted, I hope it is well explained here.
Not so well, but anyway.
So, you will need 2 code snippets.
A first one is stripslashes_deep() from http://www.php.net/manual/en/function.stripslashes.php
A second one you will get after you tell us, why did you think you need the code you posted.
the error said , the addslashes function try to Quote string with slashes ,
but the $value the parameter is not a string is an array,
what CONTAIN the $_GET ?
its because that the page that call to this script pass a array . txtQty[]
http://php.net/manual/en/function.addslashes.php
Just echo $value before passing it to addslashes(), then you should see the problem immediately.