very weird include thing

[fortnox007]

Hi all, I can't find anything about this, but maybe someone knows this.

the code below works as it should except when it is being included for some reason the filter function doesn;'t work and i get a pop up...

 

$string = "<script> alert('koekoek')</script>";

echo 'string = '.filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS).'<br />';

 

-edit: the string is normally is retrieved from a $_POST['var'] like:

 

$query = $_POST['query'];

    echo 'query: '.filter_var($query, FILTER_SANITIZE_SPECIAL_CHARS).'<br />';

and thats when it seems to not work when included

 

 

edit2: Now i changed the code a bit and put the filter function before echoing it, and than it works... may i assume that it should not be used in the echo directly?

$query = filter_var($_POST['query'], FILTER_SANITIZE_SPECIAL_CHARS);

echo $query;

[Pikachu2000]

It doesn't exhibit that problem for me. Post the code that include()s it.

[fortnox007]

ok this is what i have:

 

index.php

<?php error_reporting(E_ALL);
ini_set("display_errors", 1); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        
        <link type="text/css" rel="stylesheet" href="css/style1.css" />
       
        <title></title>
    </head>
    <body>
                    <div id="content">
                        <?php   require_once 'functions/dbconnect.php';
                                     include 'forms/simpleform.php';
                        ?>
                    </div>
    </body>
</html>

 

dbconnect.php

<?php

// credentials
$hostname = 'host';
$username = 'user';
$password = 'pass';
$database = 'db';
// connector
$dbc = mysqli_connect($hostname, $username, $password, $database)
            or die ('unable to connect to database, please try again later');
//var_dump($dbc);

//query

if(isset($_POST['submit'])&&!empty($_POST['query'])){
$query = $_POST['query'];
//$query = "SELECT username, password, study FROM users";
    echo 'query: '.filter_var($query, FILTER_SANITIZE_SPECIAL_CHARS).'<br />';
//process query
$result = mysqli_query($dbc, mysqli_real_escape_string($dbc, $query));
    if(!$result){
        echo 'error executing query '.mysqli_error($dbc);
    }else{
        echo 'total rows: '.mysqli_num_rows($result);
    }
  
}


?>

simpleform.php

<form action="<?php echo filter_var($_SERVER['PHP_SELF'], FILTER_SANITIZE_STRING); ?>" method="post">
    <input type="text" name="query" value="" size="150"/>
    <input type="submit" name="submit" value="submit" />
</form>

 

 

Edit: this is extremly weird.  when i insert as query in the form

<script>alert(1)</script>

you will get a pop up

when i do

<script>alert('1')</script>

you dont... wtf?

[fortnox007]

wtf??? is this really true,

try to echo without anything else

 

$string = '<script>alert(10101010101010101)</script>';

echo 'string = '.htmlspecialchars($string).'<br />';

 

you get a pop up?? wtf

edit hmm that is not totaly true, somehow my script above allows this to happen...

[Pikachu2000]

Apparently you were editing while I was posting. Sounds like you've resolved the problem?

[fortnox007]

no i didn't solve it at all  :'(

 

I am totally confused because i thought this was the right way to sanatize, but for some reason i still get the pop up when i insert wehn using the scripts above, so that is index.php dbconnect.php and simpleform.php

</script>alert(somenumbers)</script>

 

[Pikachu2000]

What is the result you're trying to achieve here? Do you want a popup, do you want to echo the string, or . . . ? All you're doing right now is confusing me.

[fortnox007]

sorry Pikachu , confusing you is the last thing I want.

 

What i want is a simple form where i can insert a query, which will be executed (just for testing)

Now i would like that query to be shown after i type it. So i thought since it's user input i should not only sanitize the query that goes to the database, but also the query that is show on my screen. I am just trying to learn this and i want to be certain noone can for instance fack up my site with those little pop ups.

 

So very simple a form  to insert a query and after submit you see your query and it is sanitized. but when I use the include stuff above it allows for the pop ups, which i don't want

[Pikachu2000]

Alright, you want to insert data into the database, and display the data that was inserted as well. So assuming you're doing this via a POSTed form, and the field name for the query string is 'query_string', here's what I'd do. Give this a try and see if the results are what you're going for.

 

<?php
// form submission already verified, db connection already made.

$str = mysql_real_escape_string($_POST['query_string']);
$query = "INSERT INTO `table` (`field`) VALUES ('$str')";
// execute the query, check for success, mysql_affected_rows(), etc.

//Echo the user submitted string to the screen
echo 'The following string was inserted into the DB: ' . htmlentities($_POST['query_string'], ENT_QUOTES);

[/code]

[fortnox007]

Thanks Pikachu,

 

Ill give that ago, it just seemed as if the i were not able to directly put that sanitation function in the echo. Sorry formy confusing way of posting. I am was just totally confused myself.

Thanks!

[fortnox007]

i have no idea what i am doing wrong, but with the above setup I get the same result. It must have something to do with that include stuff this is how i put your code in mine:

if(isset($_POST['submit'])&&!empty($_POST['query'])){
$query = $_POST['query'];
//$query = "SELECT username, password, study FROM users";
    echo 'The following string was inserted into the DB: ' . htmlentities($_POST['query'], ENT_QUOTES);
//process query
$result = mysqli_query($dbc, mysqli_real_escape_string($dbc, $query));
    if(!$result){
        echo 'error executing query '.mysqli_error($dbc);
    }else{
        echo 'total rows: '.mysqli_num_rows($result);
    }
  
}

 

schould i reinstall xampp maybe?

[Pikachu2000]

Post the exact string you're using to test this so I can try it locally. Also, what version of PHP are you running?

[fortnox007]

<script>alert(1)</script>

 

anything with just numbers works as long as not quoted

 

if you want i can upload the files as is. but you pretty much have them

[fortnox007]

I just tested this only happends in the above composition with these 3 files.

I am running:

PHP Version 5.3.1

System 	Windows NT LAPTOP 6.0 build 6002 (Windows Vista Home Premium Edition Service Pack 2) i586
Build Date 	Nov 20 2009 17:20:57
Compiler 	MSVC6 (Visual C++ 6.0)
Architecture 	x86
Configure Command 	cscript /nologo configure.js "--enable-snapshot-build"
Server API 	Apache 2.0 Handler
Virtual Directory Support 	enabled
Configuration File (php.ini) Path 	no value
Loaded Configuration File 	C:\php.ini
Scan this dir for additional .ini files 	(none)
Additional .ini files parsed 	(none)
PHP API 	20090626
PHP Extension 	20090626
Zend Extension 	220090626
Zend Extension Build 	API220090626,TS,VC6
PHP Extension Build 	API20090626,TS,VC6
Debug Build 	no
Thread Safety 	enabled
Zend Memory Manager 	enabled
Zend Multibyte Support 	disabled
IPv6 Support 	enabled
Registered PHP Streams 	https, ftps, php, file, glob, data, http, ftp, compress.zlib, compress.bzip2, phar, zip
Registered Stream Socket Transports 	tcp, udp, ssl, sslv3, sslv2, tls
Registered Stream Filters 	convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, zlib.*, bzip2.* 

[Pikachu2000]

I don't know what to tell you. No matter how I echo it using hmlentities, whether it's quoted or not, with or without ENT_QUOTES, I get the text echoed like it should be. The only thing I can think of is that there may be some difference in how WinD'ohs handles it. But since I don't have anything that runs win, and I can't reproduce the problem, I don't think I can be of much more help.

[fortnox007]

No problem Pikachu,

I am allready extremly thankfull for you help.

I added the folowing to surpress this, but it's not extremly nice looking:

$query = htmlentities(preg_replace("/^[(][0-9]+[)]$/", "", $_POST['query']), ENT_QUOTES);

 

Damn wind Ho's!

 

Thanks alot for the help really appreciate it

 

P.s. ill test this on a unix machine see what happens

[fortnox007]

No problem Pikachu,

I am allready extremly thankfull for you help.

I added the folowing to surpress this, but it's not extremly nice looking:

$query = htmlentities(preg_replace("/^[(][0-9]+[)]$/", "", $_POST['query']), ENT_QUOTES);

 

Damn wind Ho's!

 

Thanks alot for the help really appreciate it

 

P.s. ill test this on a unix machine see what happens

 

Yep it must be my windows machine maybe in combination with php version. Just tested it on a linux system and all was good.

 

Thanks again Pikachu!

 

rests me to throw my windows comp out of the window