Jump to content

very weird include thing


fortnox007

Recommended Posts

Hi all, I can't find anything about this, but maybe someone knows this.

the code below works as it should except when it is being included for some reason the filter function doesn;'t work and i get a pop up... :shrug:

 

$string = "<script> alert('koekoek')</script>";

echo 'string = '.filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS).'<br />';

 

-edit: the string is normally is retrieved from a $_POST['var'] like:

 

$query = $_POST['query'];

    echo 'query: '.filter_var($query, FILTER_SANITIZE_SPECIAL_CHARS).'<br />';

and thats when it seems to not work when included

 

 

edit2: Now i changed the code a bit and put the filter function before echoing it, and than it works... may i assume that it should not be used in the echo directly?

$query = filter_var($_POST['query'], FILTER_SANITIZE_SPECIAL_CHARS);

echo $query;

Link to comment
Share on other sites

ok this is what i have:

 

index.php

<?php error_reporting(E_ALL);
ini_set("display_errors", 1); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        
        <link type="text/css" rel="stylesheet" href="css/style1.css" />
       
        <title></title>
    </head>
    <body>
                    <div id="content">
                        <?php   require_once 'functions/dbconnect.php';
                                     include 'forms/simpleform.php';
                        ?>
                    </div>
    </body>
</html>

 

dbconnect.php

<?php

// credentials
$hostname = 'host';
$username = 'user';
$password = 'pass';
$database = 'db';
// connector
$dbc = mysqli_connect($hostname, $username, $password, $database)
            or die ('unable to connect to database, please try again later');
//var_dump($dbc);

//query

if(isset($_POST['submit'])&&!empty($_POST['query'])){
$query = $_POST['query'];
//$query = "SELECT username, password, study FROM users";
    echo 'query: '.filter_var($query, FILTER_SANITIZE_SPECIAL_CHARS).'<br />';
//process query
$result = mysqli_query($dbc, mysqli_real_escape_string($dbc, $query));
    if(!$result){
        echo 'error executing query '.mysqli_error($dbc);
    }else{
        echo 'total rows: '.mysqli_num_rows($result);
    }
  
}


?>

simpleform.php

<form action="<?php echo filter_var($_SERVER['PHP_SELF'], FILTER_SANITIZE_STRING); ?>" method="post">
    <input type="text" name="query" value="" size="150"/>
    <input type="submit" name="submit" value="submit" />
</form>

 

 

Edit: this is extremly weird.  when i insert as query in the form

<script>alert(1)</script>

you will get a pop up

when i do

<script>alert('1')</script>

you dont... wtf?

Link to comment
Share on other sites

wtf??? is this really true,

try to echo without anything else

 

$string = '<script>alert(10101010101010101)</script>';

echo 'string = '.htmlspecialchars($string).'<br />';

 

you get a pop up?? wtf

edit hmm that is not totaly true, somehow my script above allows this to happen...

Link to comment
Share on other sites

no i didn't solve it at all  :'(

 

I am totally confused because i thought this was the right way to sanatize, but for some reason i still get the pop up when i insert wehn using the scripts above, so that is index.php dbconnect.php and simpleform.php

</script>alert(somenumbers)</script>

 

Link to comment
Share on other sites

sorry Pikachu , confusing you is the last thing I want.

 

What i want is a simple form where i can insert a query, which will be executed (just for testing)

Now i would like that query to be shown after i type it. So i thought since it's user input i should not only sanitize the query that goes to the database, but also the query that is show on my screen. I am just trying to learn this and i want to be certain noone can for instance fack up my site with those little pop ups.

 

So very simple a form  to insert a query and after submit you see your query and it is sanitized. but when I use the include stuff above it allows for the pop ups, which i don't want

Link to comment
Share on other sites

Alright, you want to insert data into the database, and display the data that was inserted as well. So assuming you're doing this via a POSTed form, and the field name for the query string is 'query_string', here's what I'd do. Give this a try and see if the results are what you're going for.

 

<?php
// form submission already verified, db connection already made.

$str = mysql_real_escape_string($_POST['query_string']);
$query = "INSERT INTO `table` (`field`) VALUES ('$str')";
// execute the query, check for success, mysql_affected_rows(), etc.

//Echo the user submitted string to the screen
echo 'The following string was inserted into the DB: ' . htmlentities($_POST['query_string'], ENT_QUOTES);

[/code]

Link to comment
Share on other sites

:shrug: i have no idea what i am doing wrong, but with the above setup I get the same result. It must have something to do with that include stuff this is how i put your code in mine:

if(isset($_POST['submit'])&&!empty($_POST['query'])){
$query = $_POST['query'];
//$query = "SELECT username, password, study FROM users";
    echo 'The following string was inserted into the DB: ' . htmlentities($_POST['query'], ENT_QUOTES);
//process query
$result = mysqli_query($dbc, mysqli_real_escape_string($dbc, $query));
    if(!$result){
        echo 'error executing query '.mysqli_error($dbc);
    }else{
        echo 'total rows: '.mysqli_num_rows($result);
    }
  
}

 

schould i reinstall xampp maybe?

Link to comment
Share on other sites

I just tested this only happends in the above composition with these 3 files.

I am running:

PHP Version 5.3.1

System 	Windows NT LAPTOP 6.0 build 6002 (Windows Vista Home Premium Edition Service Pack 2) i586
Build Date 	Nov 20 2009 17:20:57
Compiler 	MSVC6 (Visual C++ 6.0)
Architecture 	x86
Configure Command 	cscript /nologo configure.js "--enable-snapshot-build"
Server API 	Apache 2.0 Handler
Virtual Directory Support 	enabled
Configuration File (php.ini) Path 	no value
Loaded Configuration File 	C:\php.ini
Scan this dir for additional .ini files 	(none)
Additional .ini files parsed 	(none)
PHP API 	20090626
PHP Extension 	20090626
Zend Extension 	220090626
Zend Extension Build 	API220090626,TS,VC6
PHP Extension Build 	API20090626,TS,VC6
Debug Build 	no
Thread Safety 	enabled
Zend Memory Manager 	enabled
Zend Multibyte Support 	disabled
IPv6 Support 	enabled
Registered PHP Streams 	https, ftps, php, file, glob, data, http, ftp, compress.zlib, compress.bzip2, phar, zip
Registered Stream Socket Transports 	tcp, udp, ssl, sslv3, sslv2, tls
Registered Stream Filters 	convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, zlib.*, bzip2.* 



Link to comment
Share on other sites

I don't know what to tell you. No matter how I echo it using hmlentities, whether it's quoted or not, with or without ENT_QUOTES, I get the text echoed like it should be. The only thing I can think of is that there may be some difference in how WinD'ohs handles it. But since I don't have anything that runs win, and I can't reproduce the problem, I don't think I can be of much more help.

Link to comment
Share on other sites

No problem Pikachu,

I am allready extremly thankfull for you help.

I added the folowing to surpress this, but it's not extremly nice looking:

$query = htmlentities(preg_replace("/^[(][0-9]+[)]$/", "", $_POST['query']), ENT_QUOTES);

 

Damn wind Ho's! ::)

 

Thanks alot for the help really appreciate it

 

P.s. ill test this on a unix machine see what happens :D

Link to comment
Share on other sites

No problem Pikachu,

I am allready extremly thankfull for you help.

I added the folowing to surpress this, but it's not extremly nice looking:

$query = htmlentities(preg_replace("/^[(][0-9]+[)]$/", "", $_POST['query']), ENT_QUOTES);

 

Damn wind Ho's! ::)

 

Thanks alot for the help really appreciate it

 

P.s. ill test this on a unix machine see what happens :D

 

Yep it must be my windows machine maybe in combination with php version. Just tested it on a linux system and all was good.

 

Thanks again Pikachu!

 

rests me to throw my windows comp out of the window ::)

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.