#1
  1. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,184
    Rep Power
    492

    Noob escaping problem!


    Hello all
    I am sorry to ask such a beginner question but my brain doesn't seem to want to work today!

    Basically, I capture user input in a text area, the users are allowed to enter special chars such as quotes, chevrons and so on (there's no restriction really). This data is whacked into a MySQL DB (via PDO) and saved for later.

    Now, when the user reloads their submission, they're allowed to edit this field, it uses jQuery to populate the textarea thusly:
    Code:
    $('#mytextarea').val( "<?php echo $phpvariable; ?>" );
    Problem is, this breaks the script when the $phpvariable contains certain chars, notely the double-quote:
    [example]"How to write a good novel" a novel by J R Hartley

    How should I parse this (either via PHP or JS) so that it maintains the content without breaking the script?
    Thank you and please, feel free to flame away, I have searched google but as I said above, I'm having difficulty with braining today sorry
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  2. #2
  3. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,184
    Rep Power
    492
    My brain kicked in enough to present myself with a work-around; in the reloaded form itself, I added a check to see if $phpvariable had content and I placed that inside the HTML textarea itself so no need to jQuery / JS etc to get involved and now it's displaying in the textarea and my script's working

    Hazar for coffee
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    in general, never dump raw PHP variables into a JavaScript context. This gives an attacker the perfect opportunity for cross-site scripting and makes all HTML-escaping you may do elsewhere (I hope so) completely pointless.

    See this post about a similar case.

    When you find yourself struggling with special characters, that's a clear sign you've broken the barrier between two contexts and created a code injection vulnerability. For example, many people have their first encounter with an SQL injection vulnerability when they experience problems with quotes inside user input.

    So this is a serious problem, not just a question of escaping a bunch of special characters. You need to go back and find a way to safely pass values from one context to the other.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,184
    Rep Power
    492
    Thanks for the info J1; I am a little confused though as to what it is I have done wrong ...

    user enters some data in a textarea
    on submit, this is then sent via post to a mysql db and inserted via PDO
    if it's sent out to screen anywhere, I run it through htmlentities first.

    I think that the ACTUAL problem is the jQuery ... because I am using

    $('#element').val("<?php echo $data; ?>");

    (note the double-quotes wrapping the PHP) when it receives a string with double-quotes in, THAT is when it throws the wobbly.
    I think it tries to execute it as:

    $('#element').val(""How to write a good novel" a novel by J R Hartley");

    which is invalid JS (as it thinks that the words 'How to write a good novel' are JS variables which, obviously, don't exist and JS bombs out). I could change the wrapping quotes to single quotes but then I would encounter the same problem when a user enters text containing a single quote, the JS will think that it marks the end of the data and try to interpret the rest of the string as JS commands or variables at least.

    e.g. this would work:
    $('#element').val('"How to write a good novel" a novel by J R Hartley');

    but this would break:-
    $('#element').val('I've had to eat a lot of sausages lately');

    Does that make the problem clearer?
    I somehow need to escape only the quotes contained within the php $data variable but not display the escaping within the textarea.

    I'm sorry if my OP didn't quite express that correctly!
    Last edited by badger_fruit; December 18th, 2013 at 07:20 AM.
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    You don't understand. This whole idea of dumping PHP variables into a JavaScript context is totally wrong. The issues with the quotes are just a symptom. That's not the real problem here.

    You need to stop using this practice altogether. It's equivalent to stuffing unescaped PHP variables into an SQL query. It's actually even worse, because JavaScript doesn't restrict you to a single command.

    So please wipe this val("<?php echo $data; ?>") stuff from your memory and use a proper way to pass PHP values to JavaScript (as explained above).
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,184
    Rep Power
    492
    Ah, yes, you're right, I don't understand

    So (and please forgive me this is the first time I've done this!) I would grab the data from the DB and write the content into a hidden div like in your linked example; to then set the textarea's content / value, I would use hiddendiv.innerHTML() (or whatever the JS actually is) to set the value?
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by badger_fruit
    I would grab the data from the DB and write the content into a hidden div like in your linked example; to then set the textarea's content / value, I would use hiddendiv.innerHTML() (or whatever the JS actually is) to set the value?
    Yes. And you have to decode the JSON, of course.

    As a complete example:

    PHP Code:
    <?php

    function htmlEscape($rawInput)
    {
        return 
    htmlspecialchars($rawInputENT_QUOTES ENT_HTML401'utf-8');
    }

    ?>
    <!DOCTYPE HTML>
    <html xmlns="http://www.w3.org/1999/xhtml">
        <head>
            <title>foo</title>
            <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
            <script src="http://code.jquery.com/jquery-2.0.3.js"></script>
            <style>
                .hidden {
                    display: none;
                }
            </style>
        </head>
        <body>
            <div id="data" class="hidden">
                <?php
                    
    echo htmlEscape(json_encode(array(
                        
    'x' => 42,
                    )));
                
    ?>
            </div>
            <script>
                var data = JSON.parse($('#data').text());
                alert('x is ' + data.x);
            </script>
        </body>
    </html>

    Comments on this post

    • badger_fruit agrees : Jacques1, thank you, this is really simple and works perfectly! I can't seem to add more than 0 rep to you but believe me, I want to give you 100!!
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #8
  15. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,184
    Rep Power
    492
    okay ... that seems a lot simpler than I first thought, I shall give this a try!
    thank you for taking the time to provide a clear example, it's most appreciated (as always!)
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    189
    Rep Power
    0
    Not a newbie here, but definitely seeing a new approach to passing data from php to a page.

    Why are you using JS/JQ at ALL to push data back to your page? Why not simply just take the data from the db and put it into your tag?

    PHP Code:
    <textarea>$data</textarea
    You are using pdo. You should (minimally) use PDO::quote() on your input before posting it and then stripslashes to prepare it for re-display on the page when you read it from the db

    I'm sure J1 will have some more to say (with ex. perhaps) after reading my post.
  18. #10
  19. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,184
    Rep Power
    492
    Hi there

    That's a good question, the form is dynamic, there are four levels of drop-down selects and the contents of which are dependent on the previous selections so when I create the select in the HTML, I am simply writing an empty SELECT and populating it with the results of a DB lookup, performed by Ajax onchange of the SELECT element.

    Soooo, when the user has completed it and submitted the form to the DB, they are allowed to go back in and edit their responses if they desire.

    In order to do that and display the dynamic entries, I chose JQ to parse their selections and build the form back up that way.

    Normally, I would just use PHP, check the option value against the DB result but as that value doesn't exist until the previous selection's been made, that solution wasn't viable.
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  20. #11
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by jimmyg999
    [...] and then stripslashes to prepare it for re-display on the page when you read it from the db
    You should never have to call stripslashes(). If the strings from the database are filled with strange blackslashes, it means your server still has the ancient magic quotes "feature" turned on. In the early days of PHP, this was supposed to protect badly written applications against SQL injections, but it's total nonsense.

    Turn off this feature (but make sure this doesn't break existing applications). Or even better: Upgrade your PHP. The version you're using is obsolete.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo