By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,614 Members | 1,680 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,614 IT Pros & Developers. It's quick & easy.

Addslashes() doesn't work on $_POST

P: n/a
Hello

As the user may type strings that contain verboten characters like
apostrophes, I need to go through the $_POST[] array, and use
addslashes() on each and every item

But it doesn't make any difference:

==========
<?php
switch ($_POST['status']) {
case "Test":
print $_POST['dummy'] . "<p>\n";

foreach ($_POST as $key =$value)
$$key = addslashes($value);

print $_POST['dummy'] . "<p>\n";

$sql = sprintf("INSERT INTO mytable VALUES
('%s')",$_POST['dummy']);
print "$sql<p>";

/*
Bill's cigar

Bill's cigar

INSERT INTO mytable VALUES ('Bill's cigar')
*/

break;

default:
echo "<form method=post>";
echo "<input type=hidden name=dummy value=\"Bill's cigar\">";
echo "<input type=submit name=status value=Test>";
echo "</form>";
break;
}
?>
==========

What am I doing wrong?

Thank you.
Feb 19 '08 #1
Share this Question
Share on Google+
5 Replies


P: n/a
What am I doing wrong?
>
Thank you.
Firstly, using a variable variable ($$) won't update the superglobal
$_POST, it just creates a new variable - in this case $dummy.

You can update the superglobal itself, i.e., $_POST['dummy'] =
addslashes($_POST['dummy']). Your loop would then be:

foreach($_POST as $key =$value)
{
$_POST[$key] = addslashes($value);
}

Secondly, using addslashes to quote data going into an SQL query isn't
a very good idea. If you're running PHP 5.1 (or higher) I would
strongly suggest using PDO and the prepare/bind syntax. Otherwise, if
using the mysql*_* set of functions use mysql_real_escape_string
(similar functions exist for the other databases supported by PHP)

Finally, you are outputting data straight to the browser with your
print commands; I'm sure this is just for debugging purposes, however
you really should take XSS attacks into account and filter the input
accordingly. For instance, addslashes cannot save you from something
like this:

<script type=text/javascript src=http://www.example.com/
someevilscript.js></script>

Hope that helps.
Feb 19 '08 #2

P: n/a
ph******@gmail.com wrote:
>What am I doing wrong?

Thank you.

Firstly, using a variable variable ($$) won't update the superglobal
$_POST, it just creates a new variable - in this case $dummy.
More precisely, it's supposing that the $_POST variables are also defined in
the global scope.

That behaviour was the default in old versions of PHP (Register_globals =
On). Now it's off by default for security reasons.

My guess is that you copy-pasted some old code from somewhere without
understanding it first ;-)

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

By trying we can easily learn to endure adversity. Another man's, I mean.
-- Mark Twain

Feb 19 '08 #3

P: n/a
ph******@gmail.com wrote:
>
Secondly, using addslashes to quote data going into an SQL query isn't
a very good idea. If you're running PHP 5.1 (or higher) I would
strongly suggest using PDO and the prepare/bind syntax. Otherwise, if
using the mysql*_* set of functions use mysql_real_escape_string
(similar functions exist for the other databases supported by PHP)
When using PDO you mean the prepare insert statement should be used? Can
you please give a small example?

Thanks
Feb 19 '08 #4

P: n/a
..oO(Gilles Ganault)
>As the user may type strings that contain verboten characters like
apostrophes, I need to go through the $_POST[] array, and use
addslashes() on each and every item
No, you don't need to apply addslashes() to each and every item. Instead
you should consider $_GET and $_POST read-only and use the appropriate
escaping functions when and where they're really needed, for example
mysql_real_escape_string() when inserting the data into a MySQL DB (in
this case prepared statements would be the better way, though).

IMHO the only acceptable write-access to these arrays is stripslashes()
to remove magic quotes if they're enabled and can't be turned off. But
besides that they shouldn't be touched and just be seen as the raw data
input. The escaping takes place when the data is used.

Micha
Feb 19 '08 #5

P: n/a
On Mon, 18 Feb 2008 16:42:35 -0800 (PST), ph******@gmail.com wrote:
>Secondly, using addslashes to quote data going into an SQL query isn't
a very good idea. If you're running PHP 5.1 (or higher) I would
strongly suggest using PDO and the prepare/bind syntax.
Thanks guys. For those interested, here's some working code, using
either bindParam() or an array:

<?php
switch ($_POST['status']) {
case "Test":
$dbh = new PDO("sqlite:test.sqlite");

//Good
//$sql = "INSERT INTO mytable VALUES (:dummy)";
//$stmt = $dbh->prepare($sql);
//$stmt->bindParam(":dummy", $_POST['dummy']);
//$insert->execute();

try {
$insert = $dbh->prepare("INSERT INTO mytable (dummy) VALUES
(?)");
$insert->execute(array($_POST['dummy']));
} catch (Exception $e) {
echo "Failed : " . $e->getMessage();
}

$dbh = null;
break;

default:
echo "<form method=post>";
echo "<input type=text name=dummy>";
echo "<input type=submit name=status value=Test>";
echo "</form>";
break;
}
?>
Feb 19 '08 #6

This discussion thread is closed

Replies have been disabled for this discussion.