Addslashes() doesn't work on $_POST

Re: Addslashes() doesn't work on $_POST

What am I doing wrong?Firstly, using a variable variable ($$) won't update the superglobal
$_POST, it just creates a new variable - in this case $dummy.

You can update the superglobal itself, i.e., $_POST['dummy'] =
addslashes($_PO ST['dummy']). Your loop would then be:

foreach($_POST as $key =$value)
{
$_POST[$key] = addslashes($val ue);
}

Secondly, using addslashes to quote data going into an SQL query isn't
a very good idea. If you're running PHP 5.1 (or higher) I would
strongly suggest using PDO and the prepare/bind syntax. Otherwise, if
using the mysql*_* set of functions use mysql_real_esca pe_string
(similar functions exist for the other databases supported by PHP)

Finally, you are outputting data straight to the browser with your
print commands; I'm sure this is just for debugging purposes, however
you really should take XSS attacks into account and filter the input
accordingly. For instance, addslashes cannot save you from something
like this:

<script type=text/javascript src=http://www.example.com/
someevilscript. js></script>

Hope that helps.

Re: Addslashes() doesn't work on $_POST

philjohn@gmail. com wrote:
More precisely, it's supposing that the $_POST variables are also defined in
the global scope.

That behaviour was the default in old versions of PHP (Register_globa ls =
On). Now it's off by default for security reasons.

My guess is that you copy-pasted some old code from somewhere without
understanding it first ;-)

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

By trying we can easily learn to endure adversity. Another man's, I mean.
-- Mark Twain

Re: Addslashes() doesn't work on $_POST

philjohn@gmail. com wrote:
When using PDO you mean the prepare insert statement should be used? Can
you please give a small example?

Thanks

Re: Addslashes() doesn't work on $_POST

..oO(Gilles Ganault)
No, you don't need to apply addslashes() to each and every item. Instead
you should consider $_GET and $_POST read-only and use the appropriate
escaping functions when and where they're really needed, for example
mysql_real_esca pe_string() when inserting the data into a MySQL DB (in
this case prepared statements would be the better way, though).

IMHO the only acceptable write-access to these arrays is stripslashes()
to remove magic quotes if they're enabled and can't be turned off. But
besides that they shouldn't be touched and just be seen as the raw data
input. The escaping takes place when the data is used.

Micha

Re: Addslashes() doesn't work on $_POST

On Mon, 18 Feb 2008 16:42:35 -0800 (PST), philjohn@gmail. com wrote:Thanks guys. For those interested, here's some working code, using
either bindParam() or an array:

<?php
switch ($_POST['status']) {
case "Test":
$dbh = new PDO("sqlite:tes t.sqlite");

//Good
//$sql = "INSERT INTO mytable VALUES (:dummy)";
//$stmt = $dbh->prepare($sql );
//$stmt->bindParam(":du mmy", $_POST['dummy']);
//$insert->execute();

try {
$insert = $dbh->prepare("INSER T INTO mytable (dummy) VALUES
(?)");
$insert->execute(array( $_POST['dummy']));
} catch (Exception $e) {
echo "Failed : " . $e->getMessage() ;
}

$dbh = null;
break;

default:
echo "<form method=post>";
echo "<input type=text name=dummy>";
echo "<input type=submit name=status value=Test>";
echo "</form>";
break;
}
?>