ralph4100 Posted November 7, 2006 Share Posted November 7, 2006 Hello! I'm having a bit of trouble getting htmlentities to turn '<' and '>' etc. into their safe counterparts < and so forth. Anyway I've written a function to call before processing the forms on my page:[code] function makeUserInputSafe() { //fucking users... foreach($_REQUEST as $key=>$value) //ugh php5 would have let me pass the value as reference but noooooo... { echo '...making '.$key.'=>'.$value.' safe...'; //this was added for debugging purposes. $_REQUEST[$key]=no_html($_REQUEST[$key]); $_REQUEST[$key]=quote_smart($_REQUEST[$key]); echo 'safe. ( '.$key.'=>'.$value.' )'; } return true; } function no_html($value) { $value = htmlentities(trim($value)); return $value; } function quote_smart($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number or a numeric string if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; }[/code] Quote Link to comment Share on other sites More sharing options...
ralph4100 Posted November 7, 2006 Author Share Posted November 7, 2006 looks like i'm having a bit of trouble with this site too! Quote Link to comment Share on other sites More sharing options...
ralph4100 Posted November 7, 2006 Author Share Posted November 7, 2006 ok so anyway if u can read the functions above, makeUserInputSafe() runs $_REQUEST through a foreach, calling no_html() and quote_smart() for each memeber of the $_REQUEST array. should be simple no?except when I input <script> in the name field it doesn't get un-html-ed if u know what i mean...when i run a sample call of the function like echo htmlentities('<evil><script>'); that manages to do the trick why not now!!!!!!!!!????????? Quote Link to comment Share on other sites More sharing options...
alpine Posted November 7, 2006 Share Posted November 7, 2006 Within your foreach loop you aren't using your key => value, you are only using key - look at this:[code]<?phpforeach($_REQUEST as $key=>$value){ echo '...making '.$key.'=>'.$value.' safe...'; //this was added for debugging purposes. ${$key} = no_html($value); // ${$key} is now returned as no_html to use further in your code ${$key} = quote_smart(${$key}); // same with this echo 'safe. ( '.$key.'=>'.$value.' )';}// REQUEST['example'] is now safe only within the variable $example?>[/code] Quote Link to comment Share on other sites More sharing options...
ralph4100 Posted November 7, 2006 Author Share Posted November 7, 2006 oh my god i am so fucking dumb Quote Link to comment Share on other sites More sharing options...
ralph4100 Posted November 7, 2006 Author Share Posted November 7, 2006 THANK UUUUUUUUU Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.