how to use stripslashes()  | Needs Regular Fix | | Join Date: Nov 2006 Location: Earth Obviously :P
Posts: 344
| |
hi there i am working on a project based on php mysql and html now as i was using an more secure method to authenticate login information than simply getting the post variables and comparing it with the data base i came accross different functions like
isset()
empty()
stripslashes()
i got it right till isset and empty but when working with stripslashes i am not getting it right ,as far as i know that the purpose of stripslashes() is to remove any extra
' " / and \ etc
but as i tried to use it and in username input field i entered \omer and tried to echo it after using stripslashes($_POST['FIELD_NAME']); it still shows the " \ " in it
My code is here -
<?
-
$msg="";
-
if(isset($_POST['Submit'])){
-
if(!empty($_POST["l_name"]) && !empty($_POST["l_pass"])) {
-
if(isset($_POST["l_name"]) && isset($_POST["l_pass"])){
-
$mem_name=stripslashes($_POST["l_name"]);
-
$mem_pass=stripslashes($_POST["l_pass"]);
-
echo $mem_name.'<br />'.$mem_pass;
-
}
-
else{
-
$msg.="Good to see you Looser";
-
header("Location: buzz.php?msg=".$msg);
-
exit();
-
}
-
}
-
else{
-
$msg.="The e-mail address / user name and password you entered did not match any accounts in our file. Please try again.";
-
}
-
}
-
else{
-
$msg.="Good to see you Looser";
-
header("Location: buzz.php?msg=".$msg);
-
exit();
-
}
-
?>
-
any help in this regard would be highly appreciated
regards,
Omer Aslam
|  | Moderator | | Join Date: Jun 2007 Location: York, England, with wolves.
Posts: 4,938
| | | re: how to use stripslashes()
stripslashes() only strips back slashes.
I can't understand why it isn't working =/
mysql_real_escape_string() is better off used. (you need to be connected to mysql for this to work)
| | Needs Regular Fix | | Join Date: Nov 2006 Location: Earth Obviously :P
Posts: 344
| | | re: how to use stripslashes()
Quote:
Originally Posted by markusn00b stripslashes() only strips back slashes.
I can't understand why it isn't working =/
mysql_real_escape_string() is better off used. (you need to be connected to mysql for this to work) yeah i am also surpeised that why isnt it working but now i have made some ammendments in my code here it is -
$msg="";
-
if(isset($_POST['Submit'])){
-
if(!empty($_POST["l_name"]) && !empty($_POST["l_pass"])) {
-
if(isset($_POST["l_name"]) && isset($_POST["l_pass"])){
-
$mem_name=$_POST["l_name"];
-
$mem_name0=strtolower($mem_name);
-
$mem_name1=str_ireplace("/","",$mem_name0);
-
$mem_name2=str_ireplace(",","",$mem_name1);
-
$mem_name3=str_ireplace("'","",$mem_name2);
-
$mem_name4=str_ireplace("*","",$mem_name3);
-
$mem_name5=str_ireplace("and","",$mem_name4);
-
$mem_name6=str_ireplace("or","",$mem_name5);
-
$mem_name7=str_ireplace("where","",$mem_name6);
-
$mem_name=trim($mem_name7);
-
echo $mem_name.'<br />'.$mem_pass;
-
}
-
else{
-
$msg.="Good to see you Looser";
-
header("Location: buzz.php?msg=".$msg);
-
exit();
-
}
-
}
-
else{
-
$msg.="The e-mail address / user name and password you entered did not match any accounts in our file. Please try again.";
-
}
-
}
-
else{
-
$msg.="Good to see you Looser";
-
header("Location: buzz.php?msg=".$msg);
-
exit();
-
}
-
but one thing that how could i avoid
; and " from the entered string
any idea?
reagards,
Omer
| | Moderator | | Join Date: Jun 2007 Location: York, England, with wolves.
Posts: 4,938
| | | re: how to use stripslashes()
You could do it quicker with preg_replace
[php]
$replace[0] = '#and#'; // replace and
$replace[1] = '#or#'; // replace or
$replace[2] = '#where#'; // replace where
$replace[3] = '#[\*;\'/\,\"]#'; // replace * ; ' , "
echo preg_replace($replace, "", "*heandlalwhereo;"); // do the replacement
[/php]
|  | Moderator | | Join Date: Jul 2006 Location: The Netherlands
Posts: 4,139
| | | re: how to use stripslashes()
Or you could use this one, [php]$memname=trim(str_ireplace(array("/",",","'","*","and","or","where"),'', strtolower($memname)));[/php]Ronald
| | Moderator | | Join Date: Jun 2007 Location: York, England, with wolves.
Posts: 4,938
| | | re: how to use stripslashes()
Quote:
Originally Posted by ronverdonk Or you could use this one, [php]$memname=trim(str_ireplace(array("/",",","'","*","and","or","where"),'', strtolower($memname)));[/php]Ronald Pah!
Defeated me again.
| | Moderator | | Join Date: Jul 2006 Location: The Netherlands
Posts: 4,139
| | | re: how to use stripslashes()
Quote:
Originally Posted by markusn00b Pah!
Defeated me again. Not really, it is merely another way of solving it. ;-)
Ronald
| | Moderator | | Join Date: Jun 2007 Location: York, England, with wolves.
Posts: 4,938
| | | re: how to use stripslashes()
Quote:
Originally Posted by ronverdonk Not really, it is merely another way of solving it. ;-)
Ronald if str_ireplace() is case-insensitive is there any need for strtolower()?
| | Moderator | | Join Date: Jul 2006 Location: The Netherlands
Posts: 4,139
| | | re: how to use stripslashes()
Quote:
Originally Posted by markusn00b if str_ireplace() is case-insensitive is there any need for strtolower()? Not for the replace, but the result string is also lower case.
Ronald
| | Needs Regular Fix | | Join Date: Nov 2006 Location: Earth Obviously :P
Posts: 344
| | | re: how to use stripslashes()
Quote:
Originally Posted by ronverdonk Or you could use this one, [php]$memname=trim(str_ireplace(array("/",",","'","*","and","or","where"),'', strtolower($memname)));[/php]Ronald thanks alots guys for a bunch of help and speacially ronverdonk who gave such a reduced code of just 1 line that was reallly excellent but 1 thing is stilll there that CASE 1:
i want to remove WHITE SPACES from the username lets say if i enter "omer aslam"
then it should remove the space between omer AND aslam but it is not doing it CASE 2:
and if i enter only white spaces at the end of the name
i.e like this "omer " then in this case it removes the spaces but not in the first case EVEN IF I USE MY TECHNIQUE OR RONVERDONK'S
thanks alot anyways guys that you helped me so far.
Any help in this regard is highly appreciated.
Thanks in advance,
regards,
Omer Aslam.
| | Moderator | | Join Date: Jun 2007 Location: York, England, with wolves.
Posts: 4,938
| | | re: how to use stripslashes()
[php]
$memname=trim(str_ireplace(array(" ", "/",",","'","*","and","or","where"),'', strtolower($memname)));
[/php]
Try that
| | Needs Regular Fix | | Join Date: Nov 2006 Location: Earth Obviously :P
Posts: 344
| | | re: how to use stripslashes()
Quote:
Originally Posted by markusn00b [php]
$memname=trim(str_ireplace(array(" ", "/",",","'","*","and","or","where"),'', strtolower($memname)));
[/php]
Try that THANKS ALOOOOOOOOOOOOOOOOOOOOOOT MAN you were really a THETA of PHP :D well just kiddin thats just because you have alots of experience but thats remarkable ;) i guess that was enough :D any how you really helped me out thanks alot guys again bundle of thanks for such efficient and quick reply
regards,
Omer.
| | Moderator | | Join Date: Jun 2007 Location: York, England, with wolves.
Posts: 4,938
| | | re: how to use stripslashes()
Quote:
Originally Posted by omerbutt THANKS ALOOOOOOOOOOOOOOOOOOOOOOT MAN you were really a THETA of PHP :D well just kiddin thats just because you have alots of experience but thats remarkable ;) i guess that was enough :D any how you really helped me out thanks alot guys again bundle of thanks for such efficient and quick reply
regards,
Omer. Haha, ron was the op of that, i just tweaked it ever so slightly.
Remember, if there's anything else you want plucking out of the user input just add it into the array :)
| | Needs Regular Fix | | Join Date: Nov 2006 Location: Earth Obviously :P
Posts: 344
| | | re: how to use stripslashes()
Quote:
Originally Posted by markusn00b Haha, ron was the op of that, i just tweaked it ever so slightly.
Remember, if there's anything else you want plucking out of the user input just add it into the array :) yeah okay i did that because i had to remove some more extra characters so i did the same, but apart from the discussion ronverdonk really helped me alot he do was OP for that :D
take care alots ,
regards,
Omer.
| | Moderator | | Join Date: Jul 2006 Location: The Netherlands
Posts: 4,139
| | | re: how to use stripslashes()
Consider it a joint solution. It really doesn't matter who originated what code.
In my opinion code should be shared freely. To me there is no such thing as 'ownership' of code, contrary to what a lot of programmers and companies think.
Ronald
|  | Expert | | Join Date: Feb 2008 Location: Australia
Posts: 913
| | | re: how to use stripslashes()
Quote:
Originally Posted by ronverdonk [php]$memname=trim(str_ireplace(array("/",",","'","*","and","or","where"),'', strtolower($memname)));[/php] So besides isset() do you use any other server side protection? Just curious because mine is similar to markusn00b's (just a bit longer), so this looks much more compact!
| | Moderator | | Join Date: Jul 2006 Location: The Netherlands
Posts: 4,139
| | | re: how to use stripslashes()
Quote:
Originally Posted by TheServant So besides isset() do you use any other server side protection? Just curious because mine is similar to markusn00b's (just a bit longer), so this looks much more compact! I suggest that you at least must do a strip_tags() before you assign a POSTed value to a variable. And I mean: at least.
Ronald
| | Needs Regular Fix | | Join Date: Nov 2006 Location: Earth Obviously :P
Posts: 344
| | | re: how to use stripslashes()
Quote:
Originally Posted by ronverdonk I suggest that you at least must do a strip_tags() before you assign a POSTed value to a variable. And I mean: at least.
Ronald sir i have implimented it like this -
if(isset($_POST['Submit'])){
-
//check weather the fields are empty or not
-
if(!empty($_POST["l_name"]) && !empty($_POST["l_pass"])){
-
//check weather the the fields were set from the form or not
-
if(isset($_POST["l_name"]) && isset($_POST["l_pass"])){
-
//get the user and pass
-
$mem_nameT=MyTag($_POST["l_name"]);
-
$mem_passT=MyTag($_POST["l_pass"]);
-
//remove special characters
-
$mem_name=$myStrip->SpecialCharactors($mem_nameT,1);
-
$mem_pass=$myStrip->SpecialCharactors($mem_passT,0);
-
echo $mem_name.'<br />'.$mem_pass;
-
}
-
else{
-
$msg.="Good to see you Looser";
-
}
-
}
-
else{
-
$msg.="The e-mail address / user name and password you entered did not match any accounts in our file. Please try again.";
-
}
-
}
-
-
function MyTag($a)
-
{
-
$s=strip_tags($a);
-
return $s;
-
}
-
-
is there any thing else that you can suggest for this
regards,
omer aslam
| | Moderator | | Join Date: Jul 2006 Location: The Netherlands
Posts: 4,139
| | | re: how to use stripslashes()
There are a lot of things that can be done to protect your script from attacks. And there are many types of attacks. Please read the PHP security guide of the PHP security consortium PHP security guide.
There are also many tutorials on SQL injection on the web. E.g. SQL Injections attacks by example and SQL injection cheat sheet
Ronald
| | Needs Regular Fix | | Join Date: Nov 2006 Location: Earth Obviously :P
Posts: 344
| | | re: how to use stripslashes()
thanks a lot for the links, going through the SQL injection cheat sheet
i saw that there were given some ways to inject sql injections via HEXADECIMAL values also and i was thinking that how could i stop that thing to happen
any suggestions?
Regards Omer aslam.
| | Moderator | | Join Date: Jul 2006 Location: The Netherlands
Posts: 4,139
| | | re: how to use stripslashes()
Quote:
Originally Posted by PHP Security Consortium Protecting against SQL injection is easy:
l Filter your data.
This cannot be overstressed. With good data filtering in place, most security concerns are mitigated, and some are practically eliminated.
lI Quote your data.
If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of the data type.
lII Escape your data.
Sometimes valid data can unintentionally interfere with the format of the SQL statement itself. Use mysql_escape_string() or an escaping function native to your particular database. If there isn't a specific one, addslashes() is a good last resort. Following option II is the easiest and quickest to implement.
Ronald
| | Expert | | Join Date: Feb 2008 Location: Australia
Posts: 913
| | | re: how to use stripslashes()
What about making a function:
[PHP]function sanitize($data) {
$data = stripslashes($data);
$clean = trim( str_ireplace( array(" ", "/",",","'","*","and","or","where"),'', $data ) );
return $clean;
}
[/PHP]
Is there anything wrong with this? Also, what about double backslashes (or even more) and " characters?
| | Moderator | | Join Date: Jul 2006 Location: The Netherlands
Posts: 4,139
| | | re: how to use stripslashes()
You could make an endless list of things to remove. Using functions: do not forget to include strip_tags and htmlentities with ENT_QUOTES.
Ronald
| | Expert | | Join Date: Feb 2008 Location: Australia
Posts: 913
| | | re: how to use stripslashes()
I know that I have practically no experience in hacking, and so trying to break my code in an attempt to identify holes is actually proving to be difficult.
What is wrong with doing this to all inputs:
[PHP]
$username= "A Bad* <Username..";
$username=addslashes($username);
if ( !eregi("^[a-zA-Z0-9_]+$", $username)) {
return FALSE;
;}[/PHP]
And just not allow any code to run if that's false? I have tried MySQL injections, but none get through? What are the security risks I am missing?
|  |
| | |  /bytes/about
We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights.
Get the best answers to your questions from over 226,392 network members.
|
