html form code-
<td width="75">
<input name="txtQty[]" type="text" id="txtQty[]" size="5"
value="<?php echo $ct_qty; ?>" class="box" onKeyUp="checkNumber(this);">
when I submit form I calls following script-
if (!get_magic_quotes_gpc()) {
if (isset($_POST)) {
foreach ($_POST as $key => $value) {
$_POST[$key] = trim(addslashes($value));
}
}
if (isset($_GET)) {
foreach ($_GET as $key => $value) {
$_GET[$key] = trim(addslashes($value));
}
}
}
error-
Warning: addslashes() expects parameter 1 to be string, array given in C:\xampp\htdocs\shizin\products\library\config.php on line 53
I think this script is being used just to trim input but I dont know what this addslash function does and why this error coming.
If you apply this code on an int value then you remove these function like this
if (!get_magic_quotes_gpc()) {
if (isset($_POST)) {
foreach ($_POST as $key => $value) {
$_POST[$key] = $value;
}
}
if (isset($_GET)) {
foreach ($_GET as $key => $value) {
$_GET[$key] = $value;
}
}
}
The whole approach is wrong.
Upon receiving user supplied data you have to strip slashes, added by magic quotes, not add.
About array approach it says 2 answers already posted, I hope it is well explained here.
Not so well, but anyway.
So, you will need 2 code snippets.
A first one is stripslashes_deep() from http://www.php.net/manual/en/function.stripslashes.php
A second one you will get after you tell us, why did you think you need the code you posted.
the error said , the addslashes function try to Quote string with slashes ,
but the $value the parameter is not a string is an array,
what CONTAIN the $_GET ?
its because that the page that call to this script pass a array . txtQty[]
http://php.net/manual/en/function.addslashes.php
Just echo $value before passing it to addslashes(), then you should see the problem immediately.
Related
I created a function to iterate through the $_GET array and, after verifying the data, create a constant for each element. However, it only returns the first constant.
function sanitize($key, $value){
$safe_types = array(
"month",
"year",
"course",
"pagetype",
"studentid"
);
if (in_array($key, $safe_types)) {
$key = strtoupper($key);
if (is_numeric($value) || preg_match("#^[a-z_]+#", $value)){
define ($key, $value);
}
}
}
foreach ($_GET as $key => $value) {
sanitize($key, $value);
}
I also tried array_walk with no better result.
Thank you all for taking a look and telling me it worked for you.
The issue was not the $_GET array provided but how I was testing the results. I had the following:
echo
"<br/>month: ".MONTH;
"<br/>course: ".COURSE;
"<br/>pagetype: ".PAGETYPE;
"<br/>studentid: ".STUDENTID;
. . .but of course should have had periods instead of semicolons.
I have the following code which functions as intended when $_POST values are set, however, if no $_POST values(IE when the page is first loaded) are set I get "Warning: Invalid argument supplied for foreach() in..." $_POST is always going to be empty until the user clicks submit. I have tried empty(), isset() and now count().
if(isset($_POST['submitbtn'])){
$errors = CheckFormErrors();
if(count($errors) == 0){
$data = CleanFormData();
print_r($data);
}
}
Here is the function being called(not yet complete, but it is working):
function CleanFormData(){
foreach($_POST as $key => $value){
if($key == 'description'){ continue; }
if($key == 'file'){ continue; }
if($key == 'role'){ continue; }
$_POST[$key] = is_array($key) ? $_POST[$key]: strip_tags($_POST[$key]);
}
return $_POST;
}
I thought that I could surpress the error by putting it in a conditional statement, evidently that is incorrect. A little help?
As already stated in comments, you have to check if the superglobal $_POST is empty before calling the foreach itself (inside the function), not outside the function - this way you don't have to check for !empty($_POST) every time you are calling this function.
function CleanFormData() {
if (!empty($_POST)) {
foreach($_POST as $key => $value) {
// Loops here
}
}
return $_POST;
}
Been experiencing this error for a little while and can't find any conclusive answers on fixing it. I have tried removing quotes from $key in line 59 but to no avail.
if (!get_magic_quotes_gpc()) {
if (isset($_POST)) {
foreach ($_POST as $key => $value) {
$_POST['$key'] = trim(addslashes($value));
}
}
if (isset($_GET)) {
foreach ($_GET as $key => $value) {
$_GET[$key] = trim(addslashes($value));
}
}
}
LINE 59
$_POST['$key'] = trim(addslashes($value));
Error On Screen
Notice: Array to string conversion in
C:\Inetpub\vhosts\domain.com\httpdocs\library\config.php on
line 59
Check if it is array before you assign it
$_POST[$key] = !is_array($value) ? trim(addslashes($value)) : '';
// ^ Remove the quotes here // ^ Do something
// Instead of
// Using empty
According to PHP.net the function addslashes() takes a String type as parameter. Check what type $value is. If it is an array itself then addslashes() may be throwing the error.
PS:
You should use $_POST[$key] rather than $_POST['$key'] if you want to use the value of $key as the index of the $_POST array.
I think you should use this code $_POST[$key] = $value; instead of using this $_POST['$key'] = trim(addslashes($value));
or make a check if the value is in array or not
Do this:
foreach ($_POST as &$value) {
$value = is_array($value) ?
array_map(function($x) { return trim(addslashes($x)); } :
trim(addslashes($value));
}
However, this could still fail if any of your parameters are multi-dimensional arrays. As mentioned in the comments, the right solution is to use prepared queries with parameters, rather than interpolating strings into SQL.
I'm trying to use a foreach loop to search for word in $_POST, but it doesn't work? Help is preciated.
$unsafeWords = array('content-typ','bcc','cc');
foreach ($_POST as $key => $input) {
foreach ($unsafeWords as $value) {
$_POST = str_ireplace($value, "", $input) ;
}
}
Don't overwrite the $_POST array with a string
$unsafeWords = array('content-typ','bcc','cc');
foreach ($_POST as $key => $input) {
foreach ($unsafeWords as $value) {
$_POST[$key] = str_ireplace($value, "", $input) ;
}
}
though I dislike overwriting the original $_POST array and would prefer to build a new array of cleaned values
Note that you don't need to loop the $unsafeWords array, but can pass an it as an array directly to str_ireplace()
EDIT
Example of using the $unsafeWords array as an argument for str_ireplace() rather than looping through it with foreach() and calling str_ireplace() for each entry.
$unsafeWords = array('content-type','bcc','cc');
foreach ($_POST as $key => $input) {
$_POST[$key] = str_ireplace($unsafeWords, "", $input) ;
}
and you're not replacing with a space, you're replacing with an empty string (effectively removing the unsafe strings from your $_POST vars)
EDIT 2
I guess it's OK to put this inside the
foreach loop as well?
Not quite... if you're just adding it as an extra line within the loop, you'll overwrite your previous substitutions.
Do it as:
$unsafeWords = array('content-type','bcc','cc');
foreach ($_POST as $key => $input) {
$_POST[$key] = str_ireplace($unsafeWords, "", filter_var($input, FILTER_SANITIZE_STRIPPED)) ;
}
You are trying to overwrite $_POST (which is an array) with string values. The correct way is this:
foreach ($_POST as &$input) {
$input = str_ireplace($unsafeWords, array(), $input) ;
}
The above code also takes advantage of a couple other features (foreach with a reference as loop variable, str_ireplace accepting arrays) to be much shorter.
Not completely clear what you're asking but this:
$_POST = str_ireplace($value, "", $input) ;
definitely won't do what you expect. You probably want:
$_POST[$key] = str_ireplace($value, "", $input) ;
Try this instead (missing $key at the assignment)
$unsafeWords = array('content-typ','bcc','cc');
foreach ($_POST as $key => $input) {
foreach ($unsafeWords as $value) {
$_POST[$key] = str_ireplace($value, "", $input) ;
}
}
Aside form that foreach problem, it seems very insufficient validation in terms of mail injection protection.
For the email field I'd use some regexp-based or filter_var() solution.
For the name and subject fields I'd suggest to encode it according to RFC rules.
So, I believe that safe code could be (in case of utf-8 encoded email):
if ($email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){
$subject = "=?UTF-8?B?".base64_encode($_POST['subject'])."?=";
$from = "From: =?UTF-8?B?".base64_encode($_POST['name'])."?= <$email>\r\n";
$message = str_replace("\n.", "\n .", $_POST['text']);
mail('me#example.com',$subject,$message,$from);
}
If you want to remove indexes from the $_POST array that are specified in the $unsafeWords, then you went on with the wrong approach. Use unset() function to remove the index you don't want or simply set it to
foreach($_POST as $key => $input)
{
if(in_array($input, $unsafeWords)
{
$_POST[$key] = null; // or $_POST[$key] = '' or unset($_POST[$key]
}
}
I am using an eCard program here to send invitations for an event and get the following notice:
Notice: Array to string conversion in
/nfs/c07/h01/mnt/108712/domains/christmasnativity.org/html/ecard/include/common.inc.php
on line 32
Here is the code from lines 29 to 33:
/* Clean up request: Remove magic quotes, if the setting is enabled. */
if (get_magic_quotes_gpc()) {
foreach($_REQUEST as $name => $value)
$_REQUEST[$name] = stripslashes($value);
}
Any clues what may be causing this error notice?
Thanks.
One of the values in $_REQUEST is an array. This can happen if a variable uses a name such as foo[].
You can avoid running stripslashes on arrays like this
if (get_magic_quotes_gpc()) {
foreach($_REQUEST as $name => $value)
if(!is_array($value)){
$_REQUEST[$name] = stripslashes($value);
}
}
but then the values inside an array $value won't get stripped.
A more complete solution would be something like this:
if (get_magic_quotes_gpc())
{
strip_slashes_recursive($_REQUEST);
}
function strip_slashes_recursive(&$array)
{
foreach ($array as $key => $value)
{
if (is_array ($value))
{
strip_slashes_recursive ($array[$key]);
}
else
{
$array[$key] = stripslashes($value);
}
}
}
Like Ignacio Vazquez-Abrams says, one of the $value's is an array. You can use the following to see what is an array (assuming you are/can output the results to somewhere you can see them):
$_REQUEST[$name] = stripslashes($value);
var_dump($value);