stripslashes() not working

@php_freedomOct 22.2005

Hello all,

I’m trying to build a membership system with PHP and MySQL and I really just know the basics. My problem happens when I post the users form info from from.html into register.php after an error check. I have a textarea that is readonly and all of the ” get a ” after the post ahd if I post again from register.php after the error check I get . I thought stripslashes() would remove it. Here is some of the code. Hope you can help.
————————————————-

form.html
————————————————-

[code=html]
 <form action=”http://www.myweb.com/register.php”
method=”post” name=”register” id=”register”>
 <table width=”80%”  border=”0″ cellpadding=”1″ cellspacing=”1″>
 <tr bgcolor=”#AA5500″>
 <td colspan=”2″ class=”header1″><div align=”center”>YourInfo
 </div></td></tr>
<tr>
 <td width=”50%” align=”left”><span class=”text”>First Name:</span><br>
 <input name=”first_name” type=”text” class=”box2″ id=”first_name” value=”<? echo $first_name; ?>”>
 </td>
 <td align=”left”><span class=”text”>Last Name:</span><br>
  <input name=”last_name” type=”text” class=”box2″ id=”last_name” value=”<? echo $last_name; ?>”>
 </td></tr>
 <tr>
  <td align=”left”><span class=”text”>Email Address:</span><br>
  <input name=”email_address” type=”text” class=”box2″ id=”email_address” value=”<? echo $email_address; ?>”>
</td>
 <td width=”50%” align=”left”> <span class=”text”>Desired Username: </span><br>
 <input name=”username” type=”text” class=”box2″ id=”username” value=”<? echo $username; ?>”>
 </td></tr>

<tr> <td colspan=”2″ align=”left”><div align=”center”><br> </div></td></tr></table> <div align=”center”> <textarea name=”agreement” cols=”40″ rows=”7″ readonly wrap=”VIRTUAL” class=”box2″ id=”agreement”><? echo $agreement; ?> “agreement” “agreement” “agreement” </textarea></span></div></form> [/code]

———————————————
register.php
———————————————

[code=php]
 <?
include ‘db.php’;
$first_name = $_POST[‘first_name’];
 $last_name = $_POST[‘last_name’];
 $email_address = $_POST[’email_address’];
 $username = $_POST[‘username’];
 $agreement = $_POST[“agreement”];
// Strip some slashes IS THIS WRONG?
 $first_name = stripslashes($first_name);
 $last_name = stripslashes($last_name);
 $email_address = stripslashes($email_address);
 $username = stripslashes($username);
 $agreement = stripslashes($agreement);
if((!$first_name) || (!$last_name) || (!$email_address) || (!$username)){
 echo ‘You did not submit the following required information! <br />’;
 if(!$first_name){
 echo “First Name is a required field. Please enter it below.<br />”;
 }
 if(!$last_name){
 echo “Last Name is a required field. Please enter it below.<br />”;
 }
 if(!$email_address){
 echo “Email Address is a required field. Please enter it below.<br />”;
 }
 if(!$username){
 echo “Desired Username is a required field. Please enter it below.<br />”;
 }
  include ‘form.html’;
   exit();
 }
$sql_email_check = mysql_query(“SELECT email_address FROM users
 WHERE email_address=’$email_address'”);
 $sql_username_check = mysql_query(“SELECT username FROM users
 WHERE username=’$username'”);
$email_check = mysql_num_rows($sql_email_check);
 $username_check = mysql_num_rows($sql_username_check);
if(($email_check > 0) || ($username_check > 0)){
 echo “Please fix the following errors: <br />”;
 if($email_check > 0){
 echo “<strong>Your email address has already been used by another member in our database. Please submit a different Email address!<br />”;
 unset($email_address);
 }
 if($username_check > 0){
 echo “The username you have selected has already been used by another member in our database. Please choose a different Username!<br />”;
 unset($username);
 }
 include ‘form.html’;
 exit();
 }
function makeRandomPassword() {
 $salt = “abcdhfghjklmnopqrtuvwxyyz0123456789”;
 srand((double)microtime()*1000000);
 $i = 0;
 while ($i <= 7) {
 $num = rand() % 33;
 $tmp = substr($salt, $num, 1);
 $pass = $pass . $tmp;
 $i++;
 }
 return $pass;
 }
$random_password = makeRandomPassword();
 $db_password = md5($random_password);
$sql = mysql_query(“INSERT INTO users (first_name, last_name, email_address, username)
 VALUES(‘$first_name’, ‘$last_name’, ‘$email_address’, ‘$username’, ‘$agreement’, now())”)
 or die (mysql_error());
if(!$sql){
 echo ‘There has been an error creating your account. Please contact the webmaster.’;
 } else {
 $userid = mysql_insert_id();
 $subject = “Your Membership status at Myweb.com!”;
  $message = “Greatings $first_name $last_name,
  Welcome to Myweb.com your membership is almost complete!
 You are just a few steps away from logging in and accessing our exclusive members area.
 To activate your membership, please click here:
http://www.myweb.com/activate.php?id=$userid&code=$db_password
 Once you activate your memebership, you will be able to login with the following information:
  Username: $username
  Password: $random_password
 Thanks!
  The Webmaster
 This is an automated response, please do not reply!”;
 mail($email_address, $subject, $message,
   “From: MyDomain Webmaster<[email protected]>n
   X-Mailer: PHP/” . phpversion());
  echo ‘Your membership information has been mailed to
your email address!
 Please check it and follow the directions!’;
 }

?>[/code]

to post a comment

PHP

17 Comments(s) _↴

@pointfiftyaeOct 22.2005 — #Could you at least put your php code between php vB tags, like this [ PHP ] <your code in here> [ /PHP ] (but without the spaces between the brackets and the "PHP"). And same thing for your HTML code ([ HTML ]) . It is long, unreadable and does not really make us want to help you. Thanks

@php_freedomauthorOct 22.2005 — #Could you at least put your php code between php vB tags, like this [ PHP ] <your code in here> [ /PHP ] (but without the spaces between the brackets and the "PHP"). And same thing for your HTML code ([ HTML ]) . It is long, unreadable and does not really make us want to help you. Thanks[/QUOTE]

Ok I did not know about the tags. I added them to the code and it makes a big difference. Can you take another look at it?

@php_freedomauthorOct 22.2005 — #I've fixed the post. Can you give it another look?

@chazzyOct 22.2005 — #Hi.

Why are you sending the agreement as a field? You don't care what agreement is, since it is read only, but you care that they are agreeing to it. Now i'm not too clear on your problem. You're getting what now?

@php_freedomauthorOct 22.2005 — #Well I guess your right about the agreement field. I just thought it would be a good ideal to have what the user agreed to in his or her record. I still have the problems in the other fields as well. Lets say a user places a " in the first_name field mistakenly if their is info missing in any other requiered field the script will not continue it will post to register.php with an error message about missing info and the first name field would have this in it along with the users name Yourname"

(new thought)

Maybe I'll send it without posting but what about the other fields?

@php_freedomauthorOct 22.2005 — #Chazzy can you take another look at the script?

I thought this would work but it does not. Do you have any more suggestions?

[code=php]
 $first_name = stripslashes($first_name); 
 $last_name = stripslashes($last_name); 
 $email_address = stripslashes($email_address); 
 $username = stripslashes($username);
 [/code]

@chazzyOct 22.2005 — #what happens when you do this (this is what I don't see...)

[code=php]
  $first_name = stripslashes($first_name);
 $last_name = stripslashes($last_name);
 $email_address = stripslashes($email_address);
 $username = stripslashes($username); 
 printf("nfirst name: ".$first_name);
 printf("nlast name: ".$last_name);
 printf("nemail: ".$email_address);
 printf("nusername: ".$username);
 [/code]

thanks.

ideally though, you want to addslashes to your input, not strip them.

in addition, you want to keep track of whether they agree or not, not what the agreement is. they cannot change the agreement so you know what it is always. you should have a radio button Do you agree with the agreement? Yes/No and return Yes/No.

@chazzyOct 22.2005 — #alright, i just went through your code to see exactly what you are trying to do, you should address the following things:

1) you're not using a salt with your md5. you will not beable to check passwords when logging in. IE if passwords are the same, they might return false on a check. [b]Edit: Ignore this statement. However, I want to point out that every password will be stored with the same key, and therefore can be figured out.[/b]

2) you can do "select count(*) from table where username='".$username."'" and the same for password and check to see that that's greater than 0. fewer operations that need to be done.

3) you're calling mysql_insert_id() but not using it.

@php_freedomauthorOct 22.2005 — #Thanks for that info! I still have the issue with the posted info.

PAGE form.html

OK if this is submited in the first_name field : James O' Nell

PAGE register.php

I get this in the the first_name posted filed: James O' Nell

I need to remove the Ithought this would do it: $first_name = stripslashes($first_name);

@NogDogOct 22.2005 — #Before you do the stripslahses, how about doing an echo of the offending variable? I'm just wondering if somewhere along the way you've double-submitted it or something such that it's been escaped twice, resulting in the string you're stripslashing being "James O'Nell", in which case the result of the stripslash would be correct ("" represents an escaped backslash).

EDIT: Or, just remove the stripslash on this variable and check for the above "double escaping".

@php_freedomauthorOct 22.2005 — #offending variable??? Come again please sir....

@chazzyOct 22.2005 — #

[code=php]
 <?
 
 include 'db.php';
 
 
 $first_name = $_POST['first_name'];
 $last_name = $_POST['last_name'];
 $email_address = $_POST['email_address'];
 $username = $_POST['username'];
 $agreement = $_POST["agreement"];
 [/code]

we need to see what the variables look like at this point, before stripslashes

[code=php]
 // Strip some slashes IS THIS WRONG?
 $first_name = stripslashes($first_name);
 $last_name = stripslashes($last_name);
 $email_address = stripslashes($email_address);
 $username = stripslashes($username);
 $agreement = stripslashes($agreement); 
 [/code]

@php_freedomauthorOct 22.2005 — #php manual

magic_quotes_runtime boolean

If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

How can I change this?

@php_freedomauthorOct 22.2005 — #

[code=php]
 <?
 
 include 'db.php';
 
 
 $first_name = $_POST['first_name'];
 $last_name = $_POST['last_name'];
 $email_address = $_POST['email_address'];
 $username = $_POST['username'];
 $agreement = $_POST["agreement"];
 [/code]

we need to see what the variables look like at this point, before stripslashes

[code=php]
 // Strip some slashes IS THIS WRONG?
 $first_name = stripslashes($first_name);
 $last_name = stripslashes($last_name);
 $email_address = stripslashes($email_address);
 $username = stripslashes($username);
 $agreement = stripslashes($agreement); 
 [/code]

[/QUOTE]

OK

[code=php]
 $first_name = $_POST['first_name']; 
 $last_name = $_POST['last_name']; 
 $email_address = $_POST['email_address']; 
 $username = $_POST['username']; 
 $agreement = $_POST["agreement"]; [/code]

@chazzyOct 22.2005 — #wow...

just...wow.

i want to know what the variables values are. you just copied and pasted what i put up.

also do you know that this is on on your server?

@NogDogOct 22.2005 — #Add this to whichever page is having trouble, somewhere between the <body>...</body> tags and withing a set of <?php...?> tags. This will let you see what exactly is stored in the $_POST variables before you do anything to them:

[code=php]
 echo "<h2>The data I received from the form:</h2>n";
 echo "<pre>";
 print_r($_POST);
 echo "</pre>n";
 [/code]

@MstrBobOct 22.2005 — #These problems can pop-up if you have magic_quotes enabled, as was pointed out. Disable it if you can - it's only a headache. If not, take a look at the [URL=http://us3.php.net/get_magic_quotes_gpc]get_magic_quotes_gpc[/URL] function, and use it to determine if magic_quotes is on or off.

I'd also like to point out, that really need to check ANY user-submitted data that goes into a MySQL query. Specifically this:

[code=php]
 $sql_email_check = mysql_query("SELECT email_address FROM users
 WHERE email_address='$email_address'");
 $sql_username_check = mysql_query("SELECT username FROM users
 WHERE username='$username'"); 
 [/code]

Now ideally, you'd want to sanitize $email_address and $username - because users can manipulate the satement to their choosing, a very common way for people to 'hack' into websites. I'd do something along the lines of the following:

[code=php]
 if(get_magic_quotes_gpc())
 {
 $email_address   =    stripslashes($email_address);
 $username         =    stripslashes($username);
 }
 $email_address     =    mysql_real_escape_string($email_address);
 $username           =    mysql_real_escape_string($username);
 [/code]

That would be the best way to insure against SQL injection. It's similar to MySQL's own mysql_real_escape_string function, which you can use as well if you like.

[URL=http://us3.php.net/mysql_real_escape_string]mysql_real_escape_string()[/URL]

Also in #PHP _↴

Does PHP have a purpose?month/year with concat/date_format in mysql query I have headach of .........

Success!

Help @php_freedom spread the word by sharing this article on Twitter...

Tweet This

stripslashes() not working

form.html
————————————————-

———————————————
register.php
———————————————

17 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

stripslashes() not working

form.html ————————————————-

——————————————— register.php ———————————————

17 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

form.html
————————————————-

———————————————
register.php
———————————————

17 Comments(s) _↴

Also in #PHP _↴