/    Sign up×
Community /Pin to ProfileBookmark

escape escape?

Copy linkTweet thisAlerts:
Mar 18.2008

I need to escape this:

As in the following str_replace:

[CODE]
$_SESSION[‘value_array’] = str_replace(“”,” “,$_SESSION[‘value_array’]);

$_SESSION[‘value_array’] = str_replace(“n”,”
“,$_SESSION[‘value_array’]); /* I want this to start a new line */

$_SESSION[‘value_array’] = str_replace(“r”,”
“,$_SESSION[‘value_array’]); /* I want this to start a new line as well */
[/CODE]

…that is unless you guys know a solution to the following issue instead.

So I’m trying to secure my site with mysql_real_escape_string().

This function:

[code=php]
function value($field){
if(array_key_exists($field,$this->values)){
return htmlspecialchars(stripslashes($this->values[$field]));
}else{
return “”;
}
}
[/code]

…is a bottleneck for all user-submitted data, which I believe makes it the ideal location for mysql_real_escape_string() instead of adding it to each database query.

So I did this:

[code=php]
function value($field){
if(array_key_exists($field,$this->values)){
return mysql_real_escape_string(htmlspecialchars(stripslashes($this->values[$field])));
}else{
return “”;
}
}
[/code]

…this works fine unless there’s an error in the form.

In the event of an error in the form (illegal characters used, CATCHA code not entered, etc) the form’s (action) “process page” sends the user back to the form to correct the errors. [B]Prior[/B] to adding the mysql_real_escape_string, either session values or existing database values persist in the fields (depending on whether or not changes were made to a given field) and [B]line breaks are preserved as well[/B]. But [B]after[/B] the addition of the mysql_escape_string, field values are rendered unwrapped and contain ASCII characters instead spaces, linebreaks, and returns.

So in a textarea (for user-submitted CSS) [B]prior[/B] to the escape_string looks like this:

[CODE]
.namespace{
padding-bottom:10px;
}
[/CODE]

And the same textarea value [B]after[/B] the addition of the escape_string (in the event of an error in the form) looks like this:

[CODE]
.namespace{rnpadding-bottom:10px;rn}
[/CODE]

So, just to be thorough in defining the issue, here’s the code in the form’s process page that sends the user back to the form to correct errors.

[code=php]
 function procEditAccount(){
global $session, $form;
/* Account edit attempt */
$retval = $session->editAccount($_POST[‘curpass’], $_POST[‘newpass’], $_POST[’email’], $_POST[‘style’], $_POST[‘html’], $_POST[‘avatar’], $_POST[‘security_code’]);

/* Account edit successful */
if($retval){
$_SESSION[‘useredit’] = true;
header(“Location: “.$session->referrer);
}
/* Error found with form */
else{
$_SESSION[‘value_array’] = $_POST;

/* Here’s where I’d put my str_replace per the example above if I can escape the “” */

$_SESSION[‘error_array’] = $form->getErrorArray();
header(“Location: “.$session->referrer);
}
}
[/code]

I’m betting there’s a better way to do this, but this is the best solution I’ve come up with so far. Any other ideas? Regardless, I’d like to know how to escape the as I’m sure this kind of thing will come up somewhere else in my script. Thanks for you time.

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@sstalderMar 18.2008 — My regexp is a little rusty but this may work for your first issue:
[code=php]
$_SESSION['value_array'] = preg_replace('//','\',$_SESSION['value_array']);
$_SESSION['value_array'] = preg_replace('/n|/r/','<br />',$_SESSION['value_array']); /* I want this to start a new line */
[/code]
Copy linkTweet thisAlerts:
@jjesterjauthorMar 19.2008 — Thanks for responding but this isn't working. I've tried different syntax with preg_replace, str_replace and preg_match. It seems I need to reconvert the character encoding or something because I'm able to use the aforementioned on non ASCII portions of a field's value, just not the ASCII portions of it's value.
Copy linkTweet thisAlerts:
@NogDogMar 19.2008 — I think you are polluting the inputs with conflicting purposes: SQL sanitizing versus HTML "escaping" via character entities. On top of this, if you need to use stripslashes then you probably have the dreaded "magic quotes" turned on in your configuration.

I would recommend that:[list]
  • [*]Keep the user inputs unaltered, with the exception of running stripslashes() on them if get_magic_quotes_gpc() returns true. This is then the base user input that should be passed around within the application.

  • [*]Only apply mysql_real_escape_string() when the data is being passed to a SQL statement, [i]but apply it only to the data being passed, not to the source data.[/i] There is no need to apply htmlenities() at this time, as you are outputting the data to your database, not to HTML. Putting HTML character entities into your database may cause problems trying to search that data, may make data that should fit within a field become too large for it, etc. Besides, you may have other uses for that data at some point that has nothing to do with HTML output.

  • [*]Now, if you have to output that user input data back into the form, you still have the original inputs which can be processed through htmlentities() at the moment you actually output it back into the form, rather than some mish-mash of sql-escaped character entities that become an unreadable problem for you.
    • [/list]
    Copy linkTweet thisAlerts:
    @jjesterjauthorMar 19.2008 — Thanks for responding. I'm now researching/trying all you've mentioned. The data's sole purpose is to output HTML for user's profiles. It's a networking site like, dare I say it, Myspace. That's why htmlentities(), but perhaps you've already figured this and are saying only use htmlentites() after retrieving the data from the database and before outputting to the user's profile (and the same for the form's values when the form errors). If that's the case I have a major edit ahead of me.
    Copy linkTweet thisAlerts:
    @NogDogMar 19.2008 — ... but perhaps you've already figured this and are saying only use htmlentites() after retrieving the data from the database and before outputting to the user's profile (and the same for the form's values when the form errors). If that's the case I have a major edit ahead of me.[/QUOTE]
    Yes, that would be my recommendation. Of course, all things have to be balanced with time, cost, and schedule. ? But in the long run, I think it keeps things better organized and ultimately more flexible if you can keep your data validation and different filtering mechanisms as atomic as you reasonably can.

    If the boss breathing down your neck means you have to get it done by tomorrow, you can always keep [url=http://us3.php.net/manual/en/function.html-entity-decode.php]html_entity_decode[/url]() in your back pocket if in the future you ever want to change things and "un-entity" the data you've inserted to date.
    ×

    Success!

    Help @jjesterj spread the word by sharing this article on Twitter...

    Tweet This
    Sign in
    Forgot password?
    Sign in with TwitchSign in with GithubCreate Account
    about: ({
    version: 0.1.9 BETA 5.19,
    whats_new: community page,
    up_next: more Davinci•003 tasks,
    coming_soon: events calendar,
    social: @webDeveloperHQ
    });

    legal: ({
    terms: of use,
    privacy: policy
    });
    changelog: (
    version: 0.1.9,
    notes: added community page

    version: 0.1.8,
    notes: added Davinci•003

    version: 0.1.7,
    notes: upvote answers to bounties

    version: 0.1.6,
    notes: article editor refresh
    )...
    recent_tips: (
    tipper: @AriseFacilitySolutions09,
    tipped: article
    amount: 1000 SATS,

    tipper: @Yussuf4331,
    tipped: article
    amount: 1000 SATS,

    tipper: @darkwebsites540,
    tipped: article
    amount: 10 SATS,
    )...