We Keep Coding

Should I use ENT_QUOTES with htmlspecialchars or not

I am using php 5.4.4 running as UTF-8, and im not sure if I am using htmlspecialchars right.
My strings / vars look like this:
$text = "<p><span class='clx'>By:</span> ".htmlspecialchars($foo)."</span></p>";
echo $text;
Do I have need to use ENT_QUOTES or is that only necessary when I have to echo something
inside eg: href="$foo" or id='$foo' ?
Atm, om only using htmlspecialchars inside closed html tags and not attributes.
Just concatenate the var inside the string within a <p> tag and a </p> tag
Thanks

You should generally use it when taking data from database and inserting it into html elements. This is so that quotes from the data don't close the value quotes and mess up the html.

Short answer: Always.
Long answer: I highly recommend reading OWASP's PHP Top 5 and PHP Security Cheat Sheet
The OWASP Top 5 covers the five most serious and common security vulnerabilities afflicting PHP today:
Remote Code Execution
Cross-Site Scripting (XSS) [The one htmlspecialchars is trying to prevent]
SQL Injection
PHP Configuration
File System Attacks
It demonstrates common mistakes and solutions and is well worth reading for any PHP developer even considering hosting a live website.

PHP Login - Password input - Special characters? - Centos 5 System

I have a CentOS 5 VPS and I have just installed my website there. But I have problems that when I'm inserting special characters into the password field like: ' (apostophe) or something like that, I always get the error, that this password is incorrect :/ I guess this is because of the Linux System. Am I right? Or maybe because of te sanitizing I'm doing?
I'd be gald if anyone could help me.
EDIT:
function array_sanitize(&$item) {
$item = htmlentities(strip_tags(mysql_real_escape_string($item)));
}

If your magic quote is enabled, then you should turn it off:
Edit these in your php.ini:
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
Or you can put this in .htaccess in document root:
php_flag magic_quotes_gpc Off
If you want to know about magic quote:
http://php.net/manual/en/security.magicquotes.php

hmm this sounds like a input escaping issue to me, or some setting in the website.
try to trace the path of the inputs to the actual query that executes and checks for a valid username/password. This is all i can write without actual code.
P.S i can only post answers that is why i am posting it like this.

saving html content in mysql database

I am using php and trying save some html contents in mysql database. the html content is generating by ckeditor. The content is something like this-
<p><img align="left" alt="" src="images/1im1.jpg" style="margin:1px 15px 0 0; border:1px solid #cecece; " /> <img alt="If syou love hot sauce" src="images/tit_If-you-love-hot-sauce.jpg" /></p><br>D'elidas is a fine<p>
I am using this in php-
$main_data = mysql_real_escape_string($_POST['content']);
This was working okay in my localhost(xampp). but not working in online. my hosting is using latest version of PHP and MySQL. after saving in online database, I see like this-
<p><img align=\"left\" alt=\"\" src=\"images/1im1.jpg\" style=\"margin:1px 15px 0 0; border:1px solid #cecece; \" /> <img alt=\"If syou love hot sauce\" src=\"images/tit_If-you-love-hot-sauce.jpg\" /></p>br>D\'elidas is a fine<p>
And that is why the HTML is not displaying correctly in my page. Please help me about this. this is adding slashes before quotes. I want to save exact html and show in front end.

You hosting company probably has magic quotes turned on - http://php.net/manual/en/security.magicquotes.php
You can't disable it in code, but Example 2 here shows a work around http://www.php.net/manual/en/security.magicquotes.disabling.php

It sounds like your host probably has magic_quotes_gpc turned on, which will automatically add slashes to quotes and double quotes on data coming in from $_GET, $_POST, and $_COOKIE.
You might want to create a wrapper function for escaping GPC data. As an example...
function mysql_escape_gpc($dirty)
{
if (ini_get('magic_quotes_gpc'))
{
return $dirty;
}
else
{
return mysql_real_escape_string($dirty);
}
}
This way your code is portable, regardless of how the server is configured.
Also, if your production environment supports it, you should consider looking into prepared statements. This way you don't have to worry about escaping your data, however you would still need to UNescape it in the event that magic_quotes_gpc is turned on.

When you fetch it from the database you need to run a stripslashes() on the HTML string. Right?

I accomplished this by using the following code segments in php and mySQL database:
Storing into the database. You must use the following code segment in the actual mySQL Insertcall. I found out if you do this to the variable first and then put the variable in the insert call it will not work. The function must be in the mySQL statement.
mysql_real_escape_string($myValue)
Retrieving Into textbox in value. Assuming your values have been already retrieved from the database and now are in an array Called theValues. Basically I am Removing any backslashes but before hand I'm making sure it can be displayed correctly using htmlentities. Since you are no Backslashes in HTML that I know of it fixes it where servers replace quotes with \". If you do encounter some Back slashes in HTML you'll just have to be a bit more clever in your replacement function.
$myValue= str_replace("\\", "", htmlentities($theValues->myValue));
echo $myValue;
echoing out on to a page same reasons as above, but the htmlentities function Makes it only display the text of the HTML Instead of processing the HTML
str_replace("\\", "",$myValue)

Why does _GET in PHP wrongly decodes slash?

Today I run into some oddity with PHP, which I fail find a proper explanation for in the documentation. Consider the following code:
<?php
echo $_GET['t']. PHP_EOL;
?>
The code is simple - it takes a single t parameter on the url and outputs it back. So if you call it with test.php?t=%5Ca (%5c is a '\'), I expected to see:
\a
However, this is what I got:
$ curl http://localhost/~boaz/test.php?t=%5Ca
\\a
Notice the double slash. Can anyone explains what's going on and give recipe for retrieving the strings as it was supplied on the URL?
Thanks,
Boaz
PS. I'm using PHP 5.2.11

This happens, because you have the "magic quotes" switch in php.ini switched on. From the manual:
When on, all ' (single-quote), "
(double quote), \ (backslash) and NULL
characters are escaped with a
backslash automatically. This is
identical to what addslashes() does.
Read more about it here: http://php.net/manual/en/security.magicquotes.php
To make your script aware of any value of the "magic_quotes_gpc" setting in php.ini, you can write your script like this:
$d = $_GET["d"];
if (get_magic_quotes_gpc()) $d = stripslashes($d);
echo $d; //but now you are kind of vulnerable to SQL injections
//if you don't properly escape this value in SQL queries.

You can easily fix this using the strip_slashes() function. You should avoid magic quotes; they've been deprecated for security reasons.

open .htaccess file and put something like this
php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off

CKEditor is saving text with extra slashes in HTML tags

When I retrieve the data from the textarea in the form,
<?php $editor_data = $_POST['editor1']; ?>
this works fine locally.
The remote server, however, returns the text mixing up the style with escape slashes, like this:
<h3 style=\"color: blue;\"> Initial value.</h3>
I've no idea what I'm doing wrong. Do you have any idea?

See:
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
You can use stripslashes function (http://www.php.net/stripslashes) if you cannot modify php.ini

Since Magic quotes has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0, stripslashes($string) is the way to go.