/    Sign up×
Community /Pin to ProfileBookmark

Which Escaping Function(s)?

Copy linkTweet thisAlerts:
Nov 27.2008

I’m having problems getting the right combination of escaping functions to:
1. Clean the data for database insertion and
2. Get it back out properly

The input form has a text area, and the users like pasting from Word, which copies all sorts of hidden “garbage” characters into the form as well. So anything that’s not useful text has to go. Characters like quotes and apostrophe’s are allowed.

I’m trying to use:

[code=php]
mysql_real_escape_string(rawurlencode(htmlentities(strip_tags($Value))));
[/code]

and then:

[code=php]rawurldecode($Value)[/code]

to get it out.

The problem is, if

[CODE]Bob’s text[/CODE]

goes in,

[CODE]Bob’s text[/CODE]

come out.

Somehow an escaping slash is getting in there. rawurlencode adds the slash as unicode 5C, and rawurldecode should remove it, but doesn’t.

Maybe the mysql_real_escape_string function is interfering?

What functions do you recommend for cleaning MS garbage characters, and safely inserting, retrieving and displaying chunks of text?

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@MindzaiNov 27.2008 — Try this:

[code=php]
$value = (get_magic_quotes_gpc()) ? stripslashes(rawurldecode($value)) : rawurldecode($value);
[/code]
Copy linkTweet thisAlerts:
@lightnbauthorNov 27.2008 — Thanks, that fixed the problem!

One question: Is it safe to strip slashes and/or rawurldecode a string that was not escaped or encoded? (It's easier just to stripslashes() on everything coming out of the database class.)

Or, would it make more sense just to disable magic quotes altogether? mysql_real_escape_string and rawurlencode should be enough to prevent most (all?) attacks by themselves?


Thanks again!
Copy linkTweet thisAlerts:
@MindzaiNov 27.2008 — mysql_real_escape_string is usually enough on its own, though you might want to consider using htmlentities too either on input or output.

[code=php]$cleaned = mysql_real_escape_string(htmlentities($_POST['unclean']))[/code]

As for disabling magic_quotes, it's usually best to work around it as shown in my example just because you wont have to worry about if the setting should change or you move to a new server etc.

If you are interacting with your database via a database object you could just add a private method to the class which takes care of this automatically before inserting any data, then you wont have to worry about it at all.
Copy linkTweet thisAlerts:
@lightnbauthorNov 27.2008 — MagicQuotes does it's thing right when post/get data is uploaded, right?

So If I strip slashes on the GET/POST variable, I won't have to worry about them anymore?

So I could do this in the validation class:

[code=php]
 function GetValueFromFieldName($FieldName)
{
if(isset($this->LCGet[strtolower($FieldName)]))
return (get_magic_quotes_gpc()) ? stripslashes($this->LCGet[strtolower($FieldName)]) : $this->LCGet[strtolower($FieldName)];
elseif(isset($this->LCPost[strtolower($FieldName)]))
return (get_magic_quotes_gpc()) ? stripslashes($this->LCPost[strtolower($FieldName)]) : $this->LCPost[strtolower($FieldName)];
else
return false;
}
[/code]

(LCGet and LCPost are arrays of all Get/Post variables, with Lower Case Keys.)
Copy linkTweet thisAlerts:
@MindzaiNov 27.2008 — Looks good to me.
×

Success!

Help @lightnb spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.7,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...