kmaid Posted January 19, 2009 Share Posted January 19, 2009 Hi, I am trying to sanatize single variables or arrays of variables from SQL injection and CSS. I have been working on this for a while and seem unable to get the StripSlashes function to work. Here is my code function cleanInput($input) { $search = array( '@<script[^>]*?>.*?</script>@si', // Strip out javascript '@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags '@<style[^>]*?>.*?</style>@siU', // Strip style tags properly '@<![\s\S]*?--[ \t\n\r]*>@'); // Strip multi-line comments return preg_replace($search, '', $input); } function libStripInputSlashes($Data) { if (is_array($Data)) { foreach($Data as $var=>$val) { $output[$var] = libStripInputSlashes($val); } } else { $Data = stripslashes($Data); $Data = cleanInput($Data); $output = mysql_real_escape_string($Data); } return $output; } The problem is if i put "Test's" into the script the first time it runs the output is correct with "Test\'s" but each additional run on "Test\'s" adds more unrequired slashes. I have tried using pregreplace but it doesnt seem to like backslahses either. Any suggestions? Quote Link to comment Share on other sites More sharing options...
corbin Posted January 19, 2009 Share Posted January 19, 2009 Then don't run Test's more than once? Double escaping doesn't make sense. Quote Link to comment Share on other sites More sharing options...
kmaid Posted January 19, 2009 Author Share Posted January 19, 2009 The data is validated in a save function so each time the data is saved it updates the table with the additional slashes. This means if one of my user's added a ' into their first name every time they saved changes to their profile with ' or \ it would add more slashes as it would need to be re-validated. I guess i could remove the slashes before i display the data but for that i would still need stripslashes Quote Link to comment Share on other sites More sharing options...
MadTechie Posted January 19, 2009 Share Posted January 19, 2009 are magic quotes on ???? Quote Link to comment Share on other sites More sharing options...
kmaid Posted January 19, 2009 Author Share Posted January 19, 2009 Magic quotes is enabled Quote Link to comment Share on other sites More sharing options...
kmaid Posted January 19, 2009 Author Share Posted January 19, 2009 I read that having magic quotes on could actually be the issue. How is this normally worked around? Its really lame but i may have found another solution though. In the comments of the PHP manual i found a function that will only add the backslashes once. Does mysql_real_escape_string do anything other than add back slashes to 's? Here is the code anyways function addslashes_once($input) { //These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte). $pattern = array("\\'", "\\\"", "\\\\", "\\0"); $replace = array("", "", "", ""); if(preg_match("/[\\\\'\"\\0]/", str_replace($pattern, $replace, $input))) { return addslashes($input); } else return $input; } Quote Link to comment Share on other sites More sharing options...
DarkWater Posted January 19, 2009 Share Posted January 19, 2009 mysql_real_escape_string() escape more than just quotation marks. It escapes anything that could potentially confuse MySQL and break your query. Quote Link to comment Share on other sites More sharing options...
kmaid Posted January 20, 2009 Author Share Posted January 20, 2009 I thought that would be the case in which case that function isnt really an option. Oh well i guess i will have to live with it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.