#1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,672
    Rep Power
    171

    Explain this php function.


    If you submit the form, will the form be field with santated data or not? If yes, the why this page does not escape quotes?


    PHP Code:
    echo "<input type=\"text\" name=\"quantity\" value=\""set_value('quantity''0')."\" size=\"50\" />"
    PHP Code:
    function set_value($field ''$default '')
        {
            if (
    FALSE === ($OBJ =& _get_validation_object()))
            {
                if ( ! isset(
    $_POST[$field]))
                {
                    return 
    $default;
                }

                return 
    form_prep($_POST[$field], $field);
            }

            return 
    form_prep($OBJ->set_value($field$default), $field);
        } 
    PHP Code:
    function form_prep($str ''$field_name '')
        {
            static 
    $prepped_fields = array();

            
    // if the field name is an array we do this recursively
            
    if (is_array($str))
            {
                foreach (
    $str as $key => $val)
                {
                    
    $str[$key] = form_prep($val);
                }

                return 
    $str;
            }

            if (
    $str === '')
            {
                return 
    '';
            }

            
    // we've already prepped a field with this name
            // @todo need to figure out a way to namespace this so
            // that we know the *exact* field and not just one with
            // the same name
            
    if (isset($prepped_fields[$field_name]))
            {
                return 
    $str;
            }

            
    $str htmlspecialchars($str);

            
    // In case htmlspecialchars misses these.
            
    $str str_replace(array("'"'"'), array("'""&quot;"), $str);

            if (
    $field_name != '')
            {
                
    $prepped_fields[$field_name] = $field_name;
            }

            return 
    $str;
        } 
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    194
    Rep Power
    77
    htmlentities($str, ENT_QUOTES);

    should be used instead of htmlspecialchars

    And
    Code:
            // In case htmlspecialchars misses these. 
            $str = str_replace(array("'", '"'), array("'", "&amp;quot;"), $str);
    Is doing absolutely nothing here
    Last edited by requinix; August 20th, 2013 at 02:01 AM. Reason: amp
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Oh boy, this thing is f*cked up.

    If you call this function with the same field name more than once, then you don't get any escaping at all:

    PHP Code:
    var_dumpform_prep('ab"''foo') );
    var_dumpform_prep('ab"''foo') ); 
    It looks like they've attempted some kind of caching and then stopped in the middle of it.

    The default value also doesn't get escaped. And for some reason they've fallen back to a simple htmlspecialchars($str) instead of using their own html_escape() function (which takes the character encoding into account and sets the right flags).

    This is garbage, you cannot use this. And you seem to have missed my warning that you must not write the plaintext password into the HTML document (the last parapraph in the link).
    Last edited by Jacques1; August 20th, 2013 at 01:47 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo