Jump to content
  • Advertisement
Sign in to follow this  
spraff

Fixed (interesting) Corruption of HTML form values.

This topic is 3997 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Original post:
Quote:
Hello. I've been testing some basic PHP with this form:
Quote:
<input type="hidden" name="key1" value="value &quot;1&quot;" /> <input type="hidden" name="key2" value="v&amp;amp;l>u<e2" />
When I submit the form, $_POST['key1'] is value \"1\" and $_POST['key2'] is v&amp;l>u<e2. The &quot; has been read by the browser as a literal " which is fine, sensible, and expected. What is NOT fine is that the " has become an escaped \" in the _POST variable. It is part of the HTML standard that &amp; becomes & and &quot; becomes ", but AFAIK nothing says that PHP should start interpreting escape characters in the literal strings which arrive as its input. Apparently I'm wrong (unless the browser is doing it). I can start searching-for and replacing \" with " but then I have to worry about occurances of \\ or other escape characters, so is there a function that will do it all reliably? Also, given that the browser is reading the value of key1 as value "1", what is responsible for the transformation to value \"1\" ?
It turns out this is an ineffective security measure intended to defeat injection attacks, it doesn't change the need to use mysql_real_escape_string or some corresponding function. It's called "magic quotes" and can be fixed by setting magic_quotes_gpc=Off in php.ini and restarting apache (there might be a .htaccess way to do this if you don't have access to php.ini) [Edited by - spraff on July 16, 2007 6:12:55 PM]

Share this post


Link to post
Share on other sites
Advertisement
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!