Page 3 of 3 First 123
  • Jump to page:
    #31
  1. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by ManiacDan
    array_walk
    That doesn't work with stripslashes(), because it expects the function to have two parameters for the element and the key.

    Use array_map():

    PHP Code:
    array_map('stripslashes'$arr
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  2. #32
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    21
    Rep Power
    0
    OK

    I managed to remove the backslashes by adding:

    Code:
    $articleDetails = stripslashes_deep($articleDetails);
    But I still have a problem with " (double quote).

    There are no backslashes, but anything after the " (double quote) is being removed.

    In order to see that you can type:

    Article number "one"

    in the subject field in the order page

    then click 'continue', and then click 'edit' in the Shopping Cart.

    I don't have any problem with ' (single-quote) and \ (backslash).

    Thanks!!
  4. #33
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    What's much worse: You still haven't escaped your stuff. Your page happily executes any JavaScript code I feed it.

    You know what? Stop the stupid stripslashes() workarounds and approach the actual issue. Is both magic_quotes_gpc and magic_quotes_runtime turned off? Many people forget about the latter. Is the data already corrupt in the database? Or do the slashes get added later?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #34
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    21
    Rep Power
    0
    Here is the phpinfo:
    http://oi46.tinypic.com/sde5nt.jpg

    This is a Wordpress website, if it matters...
  8. #35
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by Stevejon
    This is a Wordpress website, if it matters...
    Dude...

    Yes, that does matter, because every PHP superglobal is run through 10 Wordpress functions before you even see it.

    And since Wordpress is crap, they had the genius idea of reviving the dead "magic quotes" and force it on all $_GET, $_POST etc.

    See the call to wp_magic_quotes() around line 218 in wg-settings.php:

    PHP Code:
    function wp_magic_quotes() {
        
    // If already slashed, strip.
        
    if ( get_magic_quotes_gpc() ) {
            
    $_GET    stripslashes_deep$_GET    );
            
    $_POST   stripslashes_deep$_POST   );
            
    $_COOKIE stripslashes_deep$_COOKIE );
        }

        
    // Escape with wpdb.
        
    $_GET    add_magic_quotes$_GET    );
        
    $_POST   add_magic_quotes$_POST   );
        
    $_COOKIE add_magic_quotes$_COOKIE );
        
    $_SERVER add_magic_quotes$_SERVER );

        
    // Force REQUEST to be GET + POST.
        
    $_REQUEST array_merge$_GET$_POST );

    That's where your slashes come from.

    But since killing this "feature" would open every query to SQL injections, you have to leave it at that.

    You said everything after a double quote is being removed. I couldn't verify that. When I edit the order, I see the backslashes again.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #36
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    21
    Rep Power
    0
    Oh OK... So what can I do?

    Did you try that in the order page ?

    Thanks!!
  12. #37
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by Stevejon
    Oh OK... So what can I do?
    Currently, we don't even seem to agree on the problem.



    Originally Posted by Stevejon
    Did you try that in the order page: yeparticles.com/order ?
    I get the original content without any backslashes.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #38
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    21
    Rep Power
    0
    If you will type:

    Article about "cars"

    in the subject field, then click 'continue', and then click 'edit' in the Shopping Cart, don't you see only:

    Article about
  16. #39
  17. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    You need to use htmlentities to encode your quotes when you output text.

    PHP Code:
    $var 'And then she said "hello" to me';

    echo 
    '<input type="text" name="quote" value="' htmlentities($var) . '" />'
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
Page 3 of 3 First 123
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo