I'm using Zend Framework and it is escaping single quotes, double quotes and backslashes. This is done even before I save the text to the database so I guess it is done by the Zend_Form object.
Are those the only characters it escapes? Does Zend have a function to undo this escaping or a way to turn off this escaping?
The text is code so I really need it to show as the user sent it, it is gonna be highlighted by geshi or show as plain text.
Simply using stripslashes removes the unwanted backslashes, but also removes backslashes the user intentionally typed.
Thanks
This depends on how you are getting the post data.
The following method will give you the raw output of any POST data:
$request = $this->getRequest();
if ($request->isPost()) {
$post = $request->getPost(); // $post becomes an array of post variables
}
I found I had magic_quotes_gpc activated in this machine... turning it off makes it work as it should.
Thanks andybaird for the help anyway.
Related
I have problems when users input " or \ on a html form
The inputted text will be shown again to the user in html content and html attribute contexts
I have the following data flow:
jQuery form line input
$_POST
escape for html attribute: function escapes either with html entities or hex entities (" or \)
json_encode in php
some unknown javascript interference which blows the fuses
json_parse in a jquery ajax callback
The goal is to show the user the exact same text as they inputted, but to escape properly to avoid xss attacks.
Now first thing I got was that $_POST had slashes added for some reason. So I now use stripslashes first. That solved everything for single quotes, but if the user inputs " or \ it still breaks.
The problems seems to be that javascript does some decoding before the json_parse gets the data. it turns the hex escapes back to \ and " thus killing json_parse.
So then I thought if between step 4 and 5 I use htmlspecialchars( $data, NO_QUOTES, 'utf-8' ) I encode the ampersands to &, which should neutralise the javascript decoding, but no. It doesn't decode &for some reason while it does decode " and the hex encodings...
Where am I going wrong?
Is there a way to know exactly what the javascipt decodes and neutralize it from php?
What I'm doing now, after wasting half a day:
I think it's probably some jQuery thing to interfere with the data before the onsuccess handler gets it. I have no time to dig it up and kill it right now, so I'm just sneaking past it with a hack that means 3 string transformations just to keep a string untransformed, but hey, developer time is a rare commodity here.
in php:
// due to a problem with the jQuery callback code which seems to decode html entities and hex entities except for &
// we need to do something to keep our data intact, otherwise parse_json chokes on unescaped backslashes
// and quotes. So we mask the entity by transforming the & into & here and back in js.
// TODO: unit test this to prevent regression
// TODO: debug the jQuery to avoid this workaround
//
// echo json_encode( $response );
echo preg_replace( '/&/u', '&', json_encode( $response ) );
in js before parse_json:
// due to a problem with the jQuery callback code which seems to decode html entities and hex entities except for &
// we need to do something to keep our data intact, otherwise parse_json chokes on unescaped backslashes
// and quotes. So we mask the entity by transforming the & into & here and back in js.
// See function xxxxxx() in file xxxxx.php for the corresponding transformation
//
responseText = responseText.replace( /&/g, '&' );
I couldn't be bothered at the moment to write the unit tests for it, but I don't seem to be able to break it.
The true question remains how can I knock out the unwanted transformation while getting the same result?
Try turning off "Magic Quotes" in php. That way the data comes in through $_POST just like the user typed it. See: http://www.php.net/manual/en/security.magicquotes.disabling.php
Then you can escape it according to your needs.
I had a problem like your problem and used utf8_encode() function. Now it works well. Can you try it ?
I am getting input from user on my site through a text area. the input may contain <a> TAG.
I want to extract the url from the input.
$res = get_magic_quotes_gpc() ? stripslashes($data) : $data;
$res = mysql_real_escape_string($res); // php 4.3 and higher
preg_match('#href\s*?=\s*?[\'"]?([^\'"]*)[\'"]?#i', $res, $captures);
$href = $captures[1];
example
if Input sting is this?
$data = 'any string Any Anchor';
the extracted output becomes
"\"http://www.example.com""
i checked the output after each line, 2 double quotes comes after
mysql_real_escape_string($res);
mysql_real_escape_string should only AND ALWAYS be used when passing user values into MySQL queries. Don't use it for anything else, use the right escaping function for the right task.
Here, I don't think you need to use an escape function at all. Your regular expression looks fine, I'm confident it will work if you remove the escaping function.
Also, don't use get_magic_quotes_gpc if you can avoid it. I could explain why but I suppose the fact that it's been deprecated since PHP5.0 is evidence enough. If your host does not allow you to disable it I would consider switching to a more savvy host.
Why don't you try processing the input using XPath to find the a elements and then extract the href attribute value. I did something similar and used XPath in order to process input and it worked a treat. Saves you having to write very complex regex expressions if you would like to account for other tags later on.
Hope this helps.
There is a page that I'm currently working on (http://www.flcbranson.org/freedownloads-new.php) that loads data from an rss feed.
That rss feed contains descriptions, some of which contain quotation marks.
When the page is displayed (you can click on the Read Summary link for Filled With All The Fullness Of God to see what I'm talking about), it does \" for each quote.
I assume that it's because of php's escaping requirements.
Is there a way that I can remove the escape character (other than the obvious "remove the quotation marks")?
Sounds like you have magic quotes turned on. Read the PHP documentation for stripslashes() and pay special attention to the magic quotes stuff.
In a nutshell, if you know that your working with a string and not (say) an array, you can do the following:
if (get_magic_quotes_runtime()) {
$string = stripslashes($string);
}
If the data is coming from $_GET, $_POST, or $_COOKIE superglobals, use this instead:
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
If it's not a string you're dealing with, you may need to look at the stripslashes_deep() implementation in the PHP docs.
You need to remove the slashes by running data through:
stripslashes()
However, you still want to make your output (if you are doing something with this) HTML safe.
so run this function on the data after:
htmlspecialchars()
try using stripslashes()
http://www.php.net/manual/en/function.stripslashes.php
checkout stripslashes()
If I have a form with a value of just "" and I submit it and echo it with PHP, I get \"\"
How can I get around this?
This is because magic_quotes_gpc is on. This is a bad 'feature', designed to automatically escape incoming data for those developers who can't learn to escape SQL input.
You should disable this as soon as possible.
ini_set('magic_quotes_gpc', 'off');
You should switch off magic_quotes_gpc, which is a broken feature (see Delan's answer, I completely agree).
But wait! You must sanitize the user input from $_REQUEST, $_POST and $_GET and $_COOKIE, if you want to use it for database or display at your page! Otherwise your code would be prone to various types of attacks!
There is nothing like "universal sanitization". Let's call it just quoting, because that's what its all about.
When quoting, you always quote text for some particular output, like:
string value for mysql query
like expression for mysql query
html code
json
mysql regular expression
php regular expression
For each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like magic_quotes_gpc are broken (always assure it is switched off!!!).
So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me)
mysql_real_escape_string($str)
mysql_real_escape_string(addcslashes($str, "%_"))
htmlspecialchars($str)
json_encode() - only for utf8! I use my function for iso-8859-2
mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}')) - you cannot use preg_quote in this case because backslash would be escaped two times!
preg_quote()
Try stripslashes().
stripslashes() is the opposite of addslashes(), and removes escape slashes from strings.
You can use stripslashes() function.
http://php.net/manual/en/function.stripslashes.php
This behavior is caused by the "Magic Quotes" PHP-Feature. http://php.net/manual/en/security.magicquotes.php
You can use something like this to make it work whether magic quotes are enabled or not:
if (get_magic_quotes_gpc()) {
$data = stripslashes($_POST['data']);
}
else {
$data = $_POST['data'];
}
I always use this method as it grabs the value as a string and therefore there will be no slashes:
$variable = mysql_escape_string($_REQUEST['name_input']);
I'm doing this to all strings before inserting them:
mysql_real_escape_string($_POST['position']);
How do I remove the: \ after retriving them?
So I don't end up with: \"Piza\"
Also is this enough security or should I do something else?
Thanks
I would suggest you call $_POST['position'] directly (don't call mysql_real_escape_string on it) to get the non-escaped version.
Incidentally your comment about security suggests a bit of trouble understanding things.
One way of handling strings is to handle the escaped versions, which leads to one kind of difficulty, while another is to handle another and escape strings just before embedding, which leads to another kind of difficulty. I much prefer the latter.
use stripslashes() to get rid of the escape character.
Escaping is great. In case the value is going to be integer , I would suggest you do it like:
$value = (int) $_POST['some_int_field'];
This would make sure you always end up with an integer value.
It could be because magic quotes are enabled, so to make it versatile, use this:
if (get_magic_quotes_gpc()) { // Check if magic quotes are enabled
$position = stripslashes($_POST['position']);
} else {
$position = mysql_real_escape_string($_POST['position']);
}
mysql_real_escape_string() does add \s in your SQL strings but they should not be making it into the database as they are only there for the purpose of string parsing.
If you are seeing \s in you database then something else is escaping your stings before you call mysql_real_escape_string(). Check to make sure that magic_quotes_gpc isn't turned on.