this will be so easy for someone. I just spent 6 hours reading and I feel really stupid right now but hey... I'm learning so I thought - I'll ask you guys! I've seen some excellent examples on here for other things so I figured... why not ask. All I really want is kinda simple I'm sure... I have a form, someone fills in data, I check it via JS for validity, I check in PHP for validity, I protect the SQL. That all works fine. What doesn't work fine is... if the PHP fails and the page reloads... I have in the HTML the following which I'm sure some of you are familiar with..
<textarea name="comments" maxlength="1024" rows="6" cols="45" wrap="VIRTUAL" id="field_comments" onblur="CheckField(name, 1, 0)"><?php echo $_POST['comments']; ?></textarea>
The PHP outputs anything previously typed into the form beforehand via the echo... Easy actually. It works great because my JS and PHP USED to strip anything off that wasn't a-zA-Z0-9 etc. My friend says I should allow pretty much anything to be entered and to escape it. Ok, no problem. I escape it but when I put a single quote or double quote (testing putting weird things into the field) and it redraws it - it keeps the escaped stuff. For example.. I enter
'Dave' and I get back
\'Dave\'
and if I hit submit again.. I get...
\\'Dave\\' and so on...
Can I get it back to just 'Dave' in the form field without writing my own custom function to do that? Or is that how I have to do it?
I have a sample test page showing what I was tinkering with if you want to see the example I made.
http://newmainpcs.perrycs.com/testForm.php
Any help would be great! I tried undecoding them the reencoding them... My main website is UTF-8 - the example doesn't really show my main site but I wrote this tiny testForm.php to try and figure this out! lol. I can do it in HTML or PHP. PHP would probably be easier since thats where the heart of the actual REAL validation is since JS can be turned off. I can give you snippits of code if you like. But, I'm sure you'll get what I'm trying to say.
Thank you for your help!
David Perry PerryCS Perry Computer Services (used to be an amazing assembly language programmer... this is what happens when you don't program for 17+ years). lol. Stuck on the simple things.
You have either have magic_quotes activated, or you escape too much with addslashes. Use your database layer's quoting functionality instead, i.e. mysqli_escape_string.
PHP 5.4 finally got rid of magic quotes - something that you should do, too :)
I think your problem is that you are doing too many things to make your application safe.
You basically only need to:
htmlspecialchars($row_from_database)With that, you're safe against SQL Injection (#1) and XSS (#2).
Magic quotes try to do the escaping in #1 for people who don't care about escaping input, but that's only half-hearted (magic quotes != db layer quoting) - it can be exploited, even though it's harder than without magic quotes.
As http://www.php.net/manual/en/security.magicquotes.what.php states,
This is identical to what addslashes() does.
First, check if the are active with get_magic_quotes_gpc(). A true indicates your input has been escaped already.
Then run stripslashes() on the input variables you're working with.