On Thu, 2005-02-10 at 13:45 +0100, Jochem Maas wrote: > Ben Edwards (lists) wrote: > > PS phpsc.net seems to be down, or is the domain wrong?
>
> er yes, oops. as Jeffery pointed out it should have been
> phpsec.org. had a brainfreeze sorry.
OK, trying to do a function to remove magic quotes from the post
variable. Something like:-
function remove_magic_quotes( &$array ) {
foreach( $array as $index => $value ) {
if ( is_array( $array[$index] ) ) {
remove_magic_quotes( $array[$index] );
} else {
if ( magic_quotes_runtime() ){
$array[$index] = stripslashes( $value );
}
}
}
But not quite there. Any ideas?
Ben
> > Ben
> >
> > On Thu, 2005-02-10 at 13:28 +0100, Jochem Maas wrote:
> >
> >>Ben Edwards (lists) wrote:
> >>
> >>>Am I correct in thinking Magic Quotes automatically adds quotes to all
> >>>posted variables, therefore if you are displaying post variables on a
> >>>form you have to remove the quotes. They are only needed if you are
> >>>actually inserting/updating into the database. Whether magic quotes
> >>>are on or not you do not actually have to do anything to data fetched
> >>>from the database. If magic quoted are not on you have to add slashes
> >>>before you add to the database.
> >>
> >>you get the gist of it.... bare in mind _many_ people including actual php
> >>developers avoid magic_quotes like the plague cos its a PITA.
> >>
> >>basically your input to the DB should be properly escaped (there are special
> >>functions for this also, depending on your DB, I use alot of firebird and
> >>its capable
> >>of parameterized queries - making it impossible to do SQL injection if you
> >>use
> >>the parameterized markup).
> >>
> >>AND anything you output to the browser should be sanitized properly as
> >>well...
> >>goto phpsc.net and read everything there - its a good/solid introduction to
> >>writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed
> >>by Chris
> >>Shiflett - a veritable goldmine of php related knowledge.... do yourself a
> >>favor...
> >>read his stuff :-) any questions that arise from reading that are welcome
> >>here :-)
> >>
> >>
> >>>There is also another function you need pass stuff through if you are
> >>>going to use it in an <input type=text or <textarea>, what is that
> >>>function?
> >>
> >>htmlentities()
> >>
> >>
> >>>Ben
--
Ben Edwards - Poole, UK, England
If you have a problem sending me email use this link
http://www.gurtlush.org.uk/profiles.php?uid=4
(email address this email is sent from may be defunct)
signature.asc
Description: This is a digitally signed message part
