i am using rawurlencode($url_variable) while passing to a script..
when i receive the variable in the script ,before passing this variable to mysql ,i was doing mysql_real_escape_string . now the problem is like when there is a variable like
$url_variable = "Off-St.Mark's-Road" ...after i do mysql_real_escape_string it become slike
Off-St.Mark\\'s-Road .
which is creating a problem in mysql query ...
how i get over this...rawurlencode is necessary to pass variables to the script and i want to do mysql_real_escape_string to make the data safe...
Looks like magic_quotes_gpc is turned on on your server, try this:
if (get_magic_quotes_gpc())
{
$text = stripslashes($your_var);
}
$text = mysql_real_escape_string($text);
Related
I have a php page which is set to update an SQL record. This part works okay. The code has been written to redirect to page
watch_process.php?username='".$_POST['Username']."'
Which works fine and i can see the url has been amended correctly on the watch_process.php page when it loads. However, when I try to call it and print it on my php webpage, I get nothing.
<?php echo $_GET['username'] ?>
url looks like this: http://netfox-social.co.uk/watch_process.php?username=%27sysadmin%27&
Have you any special intention in doing this?
watch_process.php?username='". $_POST['Username']."'
Why not just do like so:
// REMEMBER TO urlencode() THE $_POST['username'] VARIABLE
$url = "watch_process.php?username=". urlencode($_POST['Username']);
// AND THEN GET BACK YOUR QUERY STRING NORMALLY WITHOUT ANY TRIMMING LIKE SO:
<?php echo $_GET['username']; ?>
// AND IF YOU NEED SINGLE QUOTES AROUND THE $_GET['username'] VARIABLE
// YOU CAN EASILY ADD IT ONCE YOU'VE RETRIEVED IT LIKE SO:
$username = "'" . $_GET['username'] . "'";
But it is assumable that You most likely don't need the single-quotes except if you really otherwise do....
You could try $_REQUEST['username'] Request works for both, get and post. And I think the some of the quotes on the row watch_process.php?username='".$_POST['Username']."' are unneccessary
Answer by AirPett (See comments)
I wasn't exactly sure how to word this, but essentially what I need is so when I send a SELECT query in MySQL, it doesn't pay attention to the escape character ( \ ) in the search. For example, if the name I am searching for is foo'bar and I send foo\'bar to the server, is there a way to make the server find foo'bar? This is the MySQL query currently:
function escape_data($data) {
$data = mysql_escape_string (trim($data));
$data = strip_tags($data);
return $data;
}
$champ1 = escape_data($_GET['champ1']);
foreach($db->query("SELECT * FROM champs WHERE name = '$champ1'") as $row) {
$role_verify_1 = $row[$role];
}
the only way I can get foo'bar to return is if I change it to foo\'bar in the MySQL database and I would like not to if it is possible.
The function you want is stripslashes before mysql_real_escape_string, however your real concern should be where the slashes are actually coming from - it looks like you might have magic quotes turned on. This is deprecated - check the link for instructions on disabling it.
The Syntax at PHP requires that.
For example;
name = '$champ1'
Here you have a variable in ' tags. But that variable includes ' inside like foo'bar, its turn to that.
name = 'foo'bar'
as you see php can't understand what is going on there. So it need to clear that problem like adding before ' an \. And inserted item will have slashes before aphostropes.
As a solution you can delete the backslashes before you echo the variable.
$theVariable = str_replace("\", "", $theVariable);
Or you can use PHP's upper version's functions. like stripslashes() before you insert your data.
Good luck.
I get a string, from an external clientside script, which must later be attached as part of an url. Now I am wondering what is the best way to santitize such data?
The string I get will have a structure like this:
dynamicVal#staticVal:dynamicVal
This value will then be added to an url:
http://the-page.com/dynamicVal#staticVal:dynamicVal
The url is then used as followed:
$link = htmlspecialchars("http://external-page.com/dynamicVal#staticVal:dynamicVal", ENT_QUOTES);
$var = "'Open URL'";
Problem is, htmlspecialchars wont help to prevent execution of random javascript code, e.g. by adding this alert to the value:
dynamicVal#staticVal:dynamicVal'+alert(\"breakout\")+'
Using rawurlencode wont help either, because it is not a value of a parameter but a real part of the url.
So what is the best way to sanitize the passed string when concatenating to the url?
Thanks in advance.
Edit:
Using rawurlencode only on the dynamic parts actually also didn't solve the issue, the javascript still got executed.
Test snippet:
$splitVal = "#staticVal:";
$tmpArr = explode($splitVal, "dynamicVal#staticVal:dynamicVal'+alert(\"breakout\")+'");
$link = htmlspecialchars(sprintf("http://external-page.com/"."%s$splitVal%s", rawurlencode($tmpArr[0]), rawurlencode($tmpArr[1])), ENT_QUOTES);
echo "'Open URL'";
Edit2:
Using json_encode when passing the string as javascript argument didn't help either.
Adapted test snippet:
$splitVal = "#staticVal:";
$tmpArr = explode($splitVal, "dynamicVal#staticVal:dynamicVal\"+alert('breakout')+\"");
$link = htmlspecialchars(sprintf("http://external-page.com/"."%s$splitVal%s", rawurlencode($tmpArr[0]), rawurlencode($tmpArr[1])), ENT_QUOTES);
echo "'Open URL'";
Adaptions done:
Switched the quotes in the malicous JS.
Moved htmlspecialchars around json_encode, because a double quoted string gets returned which would break the html otherwise.
You should use urlencode() for this. Not on the whole string but on the dynamic parts only.
$link = sprintf('http://external-page.com/%s#staticVal:%s', urlencode('dynamicVal'), urlencode('dynamicVal'));
$var = "'Open URL'";
EDIT:
OK - I see your problem. I didn't realize that you insert the code into a JavaScript function call. You'll have to ensure that the JavaScript interpreter treats your link as a string argument to window.open():
$link = sprintf('http://external-page.com/%s#staticVal:%s', urlencode('dynamicVal'), urlencode('dynamicVal'));
$var = "'Open URL'";
For completenes, I was able to solve that issue by simply putting addslashes on the dynamic part before using rawurlencode.
Both function calls are needed to prevent breaking out. Using addslashes prevents normal quotes (',") and rawurlencode prevents already encoded quotes (%29,%22) to cause harm.
So final solution looks like this:
$splitVal = "#staticVal:";
$tmpArr = explode($splitVal, "dynamicVal#staticVal:dynamicVal'+alert(\"breakout\")+'");
$link = htmlspecialchars(sprintf("http://external-page.com/"."%s$splitVal%s", rawurlencode(addslashes($tmpArr[0])), rawurlencode(addslashes($tmpArr[1]))), ENT_QUOTES);
echo "'Open URL'";
i am using a funstion to insert data into the database
so here is where it inserts
i am inserting this
<div class="widget" id="recentcomments"><h2>Blog</h2></div>
update_option("head-text", mysql_real_escape_string($head_text));
so it inserts into the database and when i save and pull it back out like below.
<input type="text" name="head-text" id="head-text" class="regular-text" value="<?php echo htmlentities($head_text, ENT_QUOTES); ?>"/>
i get the following.
<div class=\\\"widget\\\" id=\\\"recentcomments\\\"><h2>Blog</h2></div>
loads off \\\\
sorry for the vag question before.
According to the manual mysql_real_escape_string
If magic_quotes_gpc is enabled, first
apply stripslashes() to the data.
Using this function on data which has
already been escaped will escape the
data twice.
You can go for a function like this (in case you don't want to use prepared statements)
function safe($input)
{
if (get_magic_quotes_gpc())
{
$input = stripslashes($input);
$escaped = mysql_real_escape_string($input);
}
else
{
$escaped = mysql_real_escape_string($input);
}
return $escaped;
}
There's no need to call stripslashes() on output if SQL escaping is done properly
You have your data escaped twice before it gets inserted into database.
You have to find what causing this, and turn off excessive escaping.
It could be magic_quotes_gpc setting.
In this case you have to turn off this setting in the PHP configuration.
And add a code that checks get_magic_quotes_gpc() result and strips slashes from all superglobal arrays.
if magic quote are certainly turned on,
It could be also just mysql_real_escape_string/addslashes being called twice in your code. You have to search your code for this and get rid of one which is called earlier than anaother
Thanks for the replies got it working with the following.
<?php echo htmlentities(stripslashes($head_text)); ?>
needed them both
What series of steps would be reqired to safely encode and
pass a string from a html href using javascript to construct the link to a php program.
in javascript set up URL
// encodes a URI component.
path = "mypgm.php?from=" + encodeURIComponent(myvar) ;
in php:
// get passed variables
$myvar = isset($_GET['myvar']) ? ($_GET['myvar']) : '';
// decode - (make the string readable)
$myvar = (rawurldecode($myvar));
// converts characters to HTML entities (reduce risk of attack)
$myvar = htmlentities($myvar);
// maybe custom sanitize program as well?
// see [http://stackoverflow.com/questions/2668854/php-sanitizing-strings-to-make-them-url-and-filename-safe][1]
$myvar = sanitize($myvar);
I think the first two lines should be fine. You would use htmlentities if and when you have to output it as text.
Looking at your code, all you really need is this:
$myvar = !empty($_GET['myvar']) ? $_GET['myvar'] : '';
Beyond that, PHP automatically URL decodes. I personally prefer to do my htmlentities() or htmlspecialchars() when I go to output data, i.e.:
<?php echo htmlentities($mydata); ?>
The only other time you specifically need to escape or sanitize data is if you're building a SQL query:
$data = mysql_real_escape_string($mydata);
$query = "SELECT * FROM table WHERE stuff = '$mydata'";
That will prevent SQL injection. Unless you're formatting user input or performing validation, it's not absolutely necessary to do any other kind of sanitization.
Hope this helps!