Problems with chars: ' and " (single and double quotes)

[Mr.n]

Dear all,

 

I am not experienced with php and i am having a problem with characters: ' and " !! the server always add a slash \ before them. How can i stop this without breaking the security?

 

Thank you,

[premiso]

Magic Quotes

 

Turn them off in your php.ini file and you will be gravy.

 

EDIT:

Once they are turned off, if DB entry, use mysql_real_escape_string on data you want secured to be entered into the DB.

[printf]

Add slashes or use database specific functions to protect your application when you need to, otherwise remove them because you don't need them.

[Mr.n]

The problem is that php add 3 slashes. \\\' the first two does not appear the third appear. is there a way to remove the third one wihtout turning it off?

[premiso]

The problem is that php add 3 slashes. \\\' the first two does not appear the third appear. is there a way to remove the third one wihtout turning it off?

 

Then your code is flawed. Post some code where you access the POST data.

 

It is better to turn that off, once 6 hits that is no longer active and any code depending on it, is basically FUBAR'ed.

 

You are taking the time now to figure out what is wrong, why not just do the update and fix the problem also?

[Mr.n]

I turned magic quotes off and restarted apache. still having the same problem. I havn't added something to _post all what i do is getting the variable from the form:

 

$message=_post['message']

[Mr.n]

What is the procedure to disable the quotes ?

[premiso]

Diabling Magic Quotes

 

That explains different procedures you can use.

 

; Magic quotes

;

 

; Magic quotes for incoming GET/POST/Cookie data.

magic_quotes_gpc = Off

 

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.

magic_quotes_runtime = Off

 

; Use Sybase-style magic quotes (escape ' with '' instead of \').

magic_quotes_sybase = Off

 

All of those would need to be turned off for magic_quotes to officially be off.

[Mr.n]

I did it but !! the \' is still showing. what is the next step ??

 

; Magic quotes

;

 

; Magic quotes for incoming GET/POST/Cookie data.

magic_quotes_gpc = Off

 

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.

magic_quotes_runtime = Off

 

; Use Sybase-style magic quotes (escape ' with '' instead of \').

magic_quotes_sybase = Off

 

[premiso]

Can you post more code. It seems like you maybe the culprit adding the slashes, not sure.

[Mr.n]

here is the code on how i am getting the message value via post, do you have any idea if this problem may be from javascript ?

 

    $db_result = mysql_query($db_query);

    $db_row = mysql_fetch_row($db_result);

    if($sms_credit <= 0)

{

    header("Location: menu.php?inc=send_sms&op=sendsmstogr&message=".urlencode($message)."&err=".urlencode("Out"));

}

else if ($sms_credit < $db_row[0])

{

    header("Location: menu.php?inc=send_sms&op=sendsmstogr&message=".urlencode($message)."&err=".urlencode(""));

} else

{

$msg_flash = $_POST[msg_flash];

$msg_unicode = $_POST[msg_unicode];

$message = $_POST[message];

if ($gp_code && $message)

{

    $sms_type = "text";

    if ($msg_flash == "on")

    {

$sms_type = "flash";

    }

    if ($msg_unicode == "on")

    {

$unicode = "1";

    }

    list($ok,$to,$smslog_id) = websend2group($username,$gp_code,$message,$sms_type,$unicode);

 

[premiso]

Not sure what "websend2group" does. Does it mess with the data at all? Can you post that function?

[Mr.n]

I am sure it's not from websend2group because i did a test on the condition before executing websend2group. Actually it's playsms script an open source software. here is the full code:

 

    case "sendsmstogr":

$message = $_GET[message];

$db_query = "SELECT * FROM "._DB_PREF_."_tblUserGroupPhonebook WHERE uid='$uid' ORDER BY gp_name";

$db_result = dba_query($db_query);

while ($db_row = dba_fetch_array($db_result))

{

    $list_of_group .= "<option value=\"$db_row[gp_code]\" $selected>$db_row[gp_name] ($db_row[gp_code])</option>";

}

// add shared group

$db_query = "

    SELECT

"._DB_PREF_."_tblUserGroupPhonebook.gpid as gpid,

"._DB_PREF_."_tblUserGroupPhonebook.gp_name as gp_name,

"._DB_PREF_."_tblUserGroupPhonebook.gp_code as gp_code

    FROM "._DB_PREF_."_tblUserGroupPhonebook,"._DB_PREF_."_tblUserGroupPhonebook_public

    WHERE

"._DB_PREF_."_tblUserGroupPhonebook.gpid="._DB_PREF_."_tblUserGroupPhonebook_public.gpid AND

NOT ("._DB_PREF_."_tblUserGroupPhonebook_public.uid='$uid')

    ORDER BY gp_name

";

$db_result = dba_query($db_query);

while ($db_row = dba_fetch_array($db_result))

{

    $list_of_group .= "<option value=\"$db_row[gp_code]\" $selected>$db_row[gp_name] ($db_row[gp_code])</option>";

}

$max_length = $core_config['smsmaxlength'];

if ($sms_sender = username2sender($username))

{

    $max_length = $max_length - strlen($sms_sender);

}

else

{

    $sms_sender = "<i>not set</i>";

}

if ($err)

{

    $content = "<p><font color=red>$err</font><p>";

}

if ($gateway_number)

{

    $sms_from = $gateway_number;

}

else

{

    $sms_from = $mobile;

}

// WWW

$db_query2 = "SELECT * FROM "._DB_PREF_."_tblSMSTemplate WHERE uid='$uid'";

$db_result2 = dba_query($db_query2);

$j = 0;

$option_values = "<option value=\"\" default>--Please Select--</option>";

while ($db_row = dba_fetch_array($db_result2))

{

    $j++;

    $option_values .= "<option value=\"".$db_row[t_text]."\">".$db_row[t_title]."</option>";

    $input_values .= "<input type=\"hidden\" name=\"content_$j\" value=\"".$db_row[t_text]."\">";

}

 

// document.fm_sendsms.message.value = document.fm_smstemplate.content_num.value;

$content .= "

<!-- WWW -->

    <script language=\"javascript\">

 

function setTemplate()

{    

    sellength = fm_sendsms.smstemplate.length;

    for ( i=0; i<sellength; i++)

    {

if (fm_sendsms.smstemplate.options.selected == true)

{

    fm_sendsms.message.value = fm_sendsms.smstemplate.options.value;

}

    }

}

    </script>

 

    <form name=\"fm_smstemplate\">

    $input_values

    </form>

 

    <h2>Send broadcast SMS</h2>

    <p>

    <form name=fm_sendsms id=fm_sendsms action=menu.php?inc=send_sms&op=sendsmstogr_yes method=POST>

    <p>From: $sms_from

    <p>

    <p>Send to group: <select name=\"gp_code\">$list_of_group</select>

    <!--

    <table cellpadding=1 cellspacing=0 border=0>

    <tr>

<td nowrap>

    Group(s):<br>

    <select name=\"gp_code_dump[]\" size=\"10\" multiple=\"multiple\" onDblClick=\"moveSelectedOptions(this.form['gp_code_dump[]'],this.form['gp_code[]'])\">$list_of_group</select>

</td>

<td width=10> </td>

<td align=center valign=middle>

<input type=\"button\" class=\"button\" value=\">>\" onclick=\"moveSelectedOptions(this.form['gp_code_dump[]'],this.form['gp_code[]'])\"><br><br>

<input type=\"button\" class=\"button\" value=\"All >>\" onclick=\"moveAllOptions(this.form['gp_code_dump[]'],this.form['gp_code[]'])\"><br><br>

<input type=\"button\" class=\"button\" value=\"<<\" onclick=\"moveSelectedOptions(this.form['gp_code[]'],this.form['gp_code_dump[]'])\"><br><br>

<input type=\"button\" class=\"button\" value=\"All <<\" onclick=\"moveAllOptions(this.form['gp_code[]'],this.form['gp_code_dump[]'])\">

</td>

<td width=10> </td>

<td nowrap>

    Send to:<br>

    <select name=\"gp_code[]\" size=\"10\" multiple=\"multiple\" onDblClick=\"moveSelectedOptions(this.form['gp_code[]'],this.form['gp_code_dump[]'])\"></select>

</td>

    </tr>

    </table>

    -->

    <p>Or: <input type=text size=20 maxlength=20 name=gp_code_text value=\"$dst_gp_code\"> (Group name)

    <p>SMS Sender ID: $sms_sender

    <p>Message template: <select name=\"smstemplate\">$option_values</select>

    <p><input type=\"button\" onClick=\"javascript: setTemplate();\" name=\"nb\" value=\"Use Template\" class=\"button\">

    <p>Your message:

    <br><textarea cols=\"39\" rows=\"5\" onKeyUp=\"javascript: SmsCountKeyUp($max_length);\" onKeyDown=\"javascript: SmsCountKeyDown($max_length);\" name=\"message\" id=\"ta_sms_content\">$message</textarea>

    <br>Character left: <input value=\"$max_length\" type=\"text\" onKeyPress=\"if (window.event.keyCode == 13){return false;}\" onFocus=\"this.blur();\" size=\"3\" name=\"charNumberLeftOutput\" id=\"charNumberLeftOutput\">

    <p><input type=checkbox name=msg_flash> Send as flash message

    <p><input type=submit class=button value=Send onClick=\"selectAllOptions(this.form['gp_code[]'])\">

    </form>

";

echo $content;

break;

    case "sendsmstogr_yes":

$gp_code = $_POST[gp_code];

if (!$gp_code[0])

{

    $gp_code = $_POST[gp_code_text];

}

$msg_flash = $_POST[msg_flash];

$message = $_POST[message];

if ($gp_code && $message)

{

    $sms_type = "text";

    if ($msg_flash == "on")

    {

$sms_type = "flash";

    }

    list($ok,$to,$smslog_id) = websend2group($username,$gp_code,$message,$sms_type);

    for ($i=0;$i<count($ok);$i++)

    {

        if ($ok[$i])

        {

        $error_string .= "Your SMS for `".$to[$i]."` has been delivered to queue<br>";

        }

        else

        {

        $error_string .= "Fail to sent SMS to `".$to[$i]."`<br>";

}

    }

    header("Location: menu.php?inc=send_sms&op=sendsmstogr&message=".urlencode($message)."&err=".urlencode($error_string));

}

else

{

    header("Location: menu.php?inc=send_sms&op=sendsmstogr&message=".urlencode($message)."&err=".urlencode("You must select receiver group and your message should not be empty"));

}

break;

[Mr.n]

Here are the 2 functions that are invoked in the first script:

 

function websend2group($username,$gp_code,$message,$sms_type='text')

{

    global $apps_path, $core_config;

    global $datetime_now, $gateway_module;

    $uid = username2uid($username);

    $mobile_sender = username2mobile($username);

    $max_length = $core_config['smsmaxlength'];

    if ($sms_sender = username2sender($username))

    {

$max_length = $max_length - strlen($sms_sender) - 1;

    }

    if (strlen($message)>$max_length)

    {

        $message = substr ($message,0,$max_length-1);

    }

    if (is_array($gp_code))

    {

$array_gp_code = $gp_code;

    }

    else

    {

$array_gp_code[0] = $gp_code;

    }

    $j=0;

    for ($i=0;$i<count($array_gp_code);$i++)

    {

$c_gp_code = strtoupper($array_gp_code[$i]);

$gpid = gpcode2gpid($uid,$c_gp_code);

$db_query = "SELECT * FROM "._DB_PREF_."_tblUserPhonebook WHERE gpid='$gpid'";

$db_result = dba_query($db_query);

while ($db_row = dba_fetch_array($db_result))

{

    $p_num = $db_row[p_num];

    $sms_to = $p_num;

    $sms_msg = $message;

    $sms_msg = str_replace("\r","",$sms_msg);

    $sms_msg = str_replace("\n","",$sms_msg);

    $sms_msg = str_replace("\""," ",$sms_msg);

    $mobile_sender = str_replace("\'","",$mobile_sender);

    $mobile_sender = str_replace("\"","",$mobile_sender);

    $sms_sender = str_replace("\'","",$sms_sender);

    $sms_sender = str_replace("\"","",$sms_sender);

    $sms_to = str_replace("\'","",$sms_to);

    $sms_to = str_replace("\"","",$sms_to);

    $the_msg = "$sms_to\n$sms_msg";

    $to[$j] = $sms_to;

    $ok[$j] = 0;

    if ($ret = sendsms($mobile_sender,$sms_sender,$sms_to,$sms_msg,$uid,$c_gp_code,$sms_type,$unicode))

    {

        $ok[$j] = $ret['status'];

$smslog_id[$i] = $ret['smslog_id'];

    }

    $j++;

}

    }

    return array($ok,$to,$smslog_id);

}

 

 

 

function kannel_hook_sendsms($mobile_sender,$sms_sender,$sms_to,$sms_msg,$uid='',$gp_code='PV',$smslog_id=0,$sms_type='text',$unicode=0)

{

    global $kannel_param;

    global $gateway_number;

    $ok = false;

    if ($gateway_number)

    {

$sms_from = $gateway_number;

    }

    else

    {

$sms_from = $mobile_sender;

    }

    if ($sms_sender)

    {

$sms_msg = $sms_msg.$sms_sender;

    }

    // set failed first

    $p_status = 2;

    setsmsdeliverystatus($smslog_id,$uid,$p_status);

    $msg_type = 2; // text

    if ($sms_type=="flash")

    {

$msg_type = 1; //flash

    }

    $URL = "/cgi-bin/sendsms?username=".urlencode($kannel_param['username'])."&password=".urlencode($kannel_param['password']);

    $URL .= "&from=".urlencode($sms_from)."&to=".urlencode($sms_to)."&text=".urlencode($sms_msg);

    $URL .= "&dlr-mask=31&dlr-url=".urlencode($kannel_param['playsms_web']."/plugin/gateway/kannel/dlr.php?type=%d&slid=$smslog_id&uid=$uid");

    $URL .= "&mclass=".$msg_type;

    $connection = fsockopen($kannel_param['bearerbox_host'],$kannel_param['sendsms_port'],&$error_number,&$error_description,60);

    if($connection)

    {

socket_set_blocking($connection, false);

fputs($connection, "GET $URL HTTP/1.0\r\n\r\n");

while (!feof($connection))

{

    $myline = fgets($connection, 128);

    if ($myline == "Sent.")

    {

$ok = true;

// set pending

$p_status = 0;

setsmsdeliverystatus($smslog_id,$uid,$p_status);

    }

}

    }

    fclose ($connection);

    return $ok;

}

 

[premiso]

I should have mentioned it earlier, but please use the [.code][./code] (remove the period).

 

As far as it looks everything seems fine, maybe Apache is doing the adding slashes?

 

Not sure.

[Mr.n]

Man i did a detailed troubleshooting on the script before ! and i ended with the same idea that something from php default settings or apache!! Do you have any idea if we have to change something else then the magic quotes?

 

Anyway Thank you for you support!

[Mr.n]

Okay it's fine now !! all what i have done is adding the stripslashes($message) in the php script ! and it's fine.

 

Anyway Thank you all