Addslashes() doesn't work on $_POST

What am I doing wrong?

>
Thank you.

Firstly, using a variable variable ($$) won't update the superglobal
$_POST, it just creates a new variable - in this case $dummy.

You can update the superglobal itself, i.e., $_POST['dummy'] =
addslashes($_POST['dummy']). Your loop would then be:

foreach($_POST as $key =$value)
{
$_POST[$key] = addslashes($value);
}

Secondly, using addslashes to quote data going into an SQL query isn't
a very good idea. If you're running PHP 5.1 (or higher) I would
strongly suggest using PDO and the prepare/bind syntax. Otherwise, if
using the mysql*_* set of functions use mysql_real_escape_string
(similar functions exist for the other databases supported by PHP)

Finally, you are outputting data straight to the browser with your
print commands; I'm sure this is just for debugging purposes, however
you really should take XSS attacks into account and filter the input
accordingly. For instance, addslashes cannot save you from something
like this:

<script type=text/javascript src=http://www.example.com/
someevilscript.js></script>

Hope that helps.

ph******@gmail.com wrote:

>What am I doing wrong?

Thank you.

Firstly, using a variable variable ($$) won't update the superglobal
$_POST, it just creates a new variable - in this case $dummy.

More precisely, it's supposing that the $_POST variables are also defined in
the global scope.

That behaviour was the default in old versions of PHP (Register_globals =
On). Now it's off by default for security reasons.

My guess is that you copy-pasted some old code from somewhere without
understanding it first ;-)

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

By trying we can easily learn to endure adversity. Another man's, I mean.
-- Mark Twain

ph******@gmail.com wrote:

>
Secondly, using addslashes to quote data going into an SQL query isn't
a very good idea. If you're running PHP 5.1 (or higher) I would
strongly suggest using PDO and the prepare/bind syntax. Otherwise, if
using the mysql*_* set of functions use mysql_real_escape_string
(similar functions exist for the other databases supported by PHP)

When using PDO you mean the prepare insert statement should be used? Can
you please give a small example?

Thanks

..oO(Gilles Ganault)

>As the user may type strings that contain verboten characters like
apostrophes, I need to go through the $_POST[] array, and use
addslashes() on each and every item

No, you don't need to apply addslashes() to each and every item. Instead
you should consider $_GET and $_POST read-only and use the appropriate
escaping functions when and where they're really needed, for example
mysql_real_escape_string() when inserting the data into a MySQL DB (in
this case prepared statements would be the better way, though).

IMHO the only acceptable write-access to these arrays is stripslashes()
to remove magic quotes if they're enabled and can't be turned off. But
besides that they shouldn't be touched and just be seen as the raw data
input. The escaping takes place when the data is used.

Micha

On Mon, 18 Feb 2008 16:42:35 -0800 (PST), ph******@gmail.com wrote:

>Secondly, using addslashes to quote data going into an SQL query isn't
a very good idea. If you're running PHP 5.1 (or higher) I would
strongly suggest using PDO and the prepare/bind syntax.

Thanks guys. For those interested, here's some working code, using
either bindParam() or an array:

<?php
switch ($_POST['status']) {
case "Test":
$dbh = new PDO("sqlite:test.sqlite");

//Good
//$sql = "INSERT INTO mytable VALUES (:dummy)";
//$stmt = $dbh->prepare($sql);
//$stmt->bindParam(":dummy", $_POST['dummy']);
//$insert->execute();

try {
$insert = $dbh->prepare("INSERT INTO mytable (dummy) VALUES
(?)");
$insert->execute(array($_POST['dummy']));
} catch (Exception $e) {
echo "Failed : " . $e->getMessage();
}

$dbh = null;
break;

default:
echo "<form method=post>";
echo "<input type=text name=dummy>";
echo "<input type=submit name=status value=Test>";
echo "</form>";
break;
}
?>