The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Programming Languages
> PHP Development
|
 Page 3 -
A PHP problem in my site
Page 3 - Discuss A PHP problem in my site in the PHP Development forum on Dev Shed.
A PHP problem in my site PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
|
|
 |
|
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
April 4th, 2013, 08:27 AM
|
 |
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
Quote: | Originally Posted by ManiacDan array_walk |
That doesn't work with stripslashes(), because it expects the function to have two parameters for the element and the key.
Use array_map():
PHP Code:
array_map('stripslashes', $arr)
|
April 5th, 2013, 04:44 AM
|
|
Registered User
|
|
Join Date: Mar 2013
Posts: 21
Time spent in forums: 3 h 39 m 7 sec
Reputation Power: 0
|
|
OK
I managed to remove the backslashes by adding:
Code:
$articleDetails = stripslashes_deep($articleDetails);
But I still have a problem with " (double quote).
There are no backslashes, but anything after the " (double quote) is being removed.
In order to see that you can type:
Article number "one"
in the subject field in the order page
then click 'continue', and then click 'edit' in the Shopping Cart.
I don't have any problem with ' (single-quote) and \ (backslash).
Thanks!!
|
April 5th, 2013, 05:22 AM
|
|
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
|
What's much worse: You still haven't escaped your stuff. Your page happily executes any JavaScript code I feed it.
You know what? Stop the stupid stripslashes() workarounds and approach the actual issue. Is both magic_quotes_gpc and magic_quotes_runtime turned off? Many people forget about the latter. Is the data already corrupt in the database? Or do the slashes get added later?
|
April 5th, 2013, 08:54 AM
|
|
Registered User
|
|
Join Date: Mar 2013
Posts: 21
Time spent in forums: 3 h 39 m 7 sec
Reputation Power: 0
|
|
|
Here is the phpinfo:
http://oi46.tinypic.com/sde5nt.jpg
This is a Wordpress website, if it matters...
|
April 5th, 2013, 09:40 AM
|
|
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
Quote: | Originally Posted by Stevejon This is a Wordpress website, if it matters... |
Dude... 
Yes, that does matter, because every PHP superglobal is run through 10 Wordpress functions before you even see it.
And since Wordpress is crap, they had the genius idea of reviving the dead "magic quotes" and force it on all $_GET, $_POST etc.
See the call to wp_magic_quotes() around line 218 in wg-settings.php:
PHP Code:
function wp_magic_quotes() {
// If already slashed, strip.
if ( get_magic_quotes_gpc() ) {
$_GET = stripslashes_deep( $_GET );
$_POST = stripslashes_deep( $_POST );
$_COOKIE = stripslashes_deep( $_COOKIE );
}
// Escape with wpdb.
$_GET = add_magic_quotes( $_GET );
$_POST = add_magic_quotes( $_POST );
$_COOKIE = add_magic_quotes( $_COOKIE );
$_SERVER = add_magic_quotes( $_SERVER );
// Force REQUEST to be GET + POST.
$_REQUEST = array_merge( $_GET, $_POST );
}
That's where your slashes come from.
But since killing this "feature" would open every query to SQL injections, you have to leave it at that.
You said everything after a double quote is being removed. I couldn't verify that. When I edit the order, I see the backslashes again.
|
April 5th, 2013, 09:51 AM
|
|
Registered User
|
|
Join Date: Mar 2013
Posts: 21
Time spent in forums: 3 h 39 m 7 sec
Reputation Power: 0
|
|
|
Oh OK... So what can I do?
Did you try that in the order page ?
Thanks!!
|
April 5th, 2013, 10:15 AM
|
|
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
Quote: | Originally Posted by Stevejon Oh OK... So what can I do? |
Currently, we don't even seem to agree on the problem.
Quote: | Originally Posted by Stevejon Did you try that in the order page: yeparticles.com/order ? |
I get the original content without any backslashes.
|
April 5th, 2013, 10:30 AM
|
|
Registered User
|
|
Join Date: Mar 2013
Posts: 21
Time spent in forums: 3 h 39 m 7 sec
Reputation Power: 0
|
|
|
If you will type:
Article about "cars"
in the subject field, then click 'continue', and then click 'edit' in the Shopping Cart, don't you see only:
Article about
|
April 5th, 2013, 10:37 AM
|
 |
Likely to be eaten by a grue.
|
|
Join Date: Oct 2006
Location: Pennsylvania, USA
|
|
You need to use htmlentities to encode your quotes when you output text.
PHP Code:
$var = 'And then she said "hello" to me';
echo '<input type="text" name="quote" value="' . htmlentities($var) . '" />';
__________________
HEY! YOU! Read the New User Guide and Forum Rules
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin
"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002
Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
