Jump to content

Trying to bypass this... can't have /dev/ in a text field

play_

By play_
in PHP Coding Help

 Share

Recommended Posts

play_ Advanced Member

play_

Posted
Posted
My site is hosted on a linux server.
And as most of us know, the linux OS has a "dev" directory. (which is causing me problems)

I am making a paste bin for own personal use. But whenever a user has [b]/dev/[/b] or [b]/bin/[/b] in his code, and clicks submit, an internal server error occurs. Which is a huge problem because most python scripts start with "#!/usr/bin/ python".

Therefore, how can i bypass this error? Im here reading all sorts of escaping functions and tutorials but can't do it.

You can see the problem here: [url=http://www.urban.decay.nu]www.urban.decay.nu[/url]
just enter /dev/ or /bin/ into any input field and click submit...


Also, i use this function for inserting data into the database:

[code]
//function for escaping and trimming data
function escape_data($data) {
global $dbc;
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
} return mysql_real_escape_string(trim($data), $dbc);
}[/code]
Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted
change / to its HTML equivalent:

add the following to the end of escape_date function
[code=php:0]$data = str_replace("/", "/", $data);[/code]

SO the function is now:
[code]//function for escaping and trimming data
function escape_data($data) {
global $dbc;
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
}

    $data = mysql_real_escape_string(trim($data), $dbc)

    $data = str_replace("/", "/", $data);

return $data;
}[/code]
Link to comment
Share on other sites
play_ Advanced Member

play_

Posted
  • Author
Posted
Thanks wildteen. I will do that, for now.

The problem with that is, the fields will hold less values than intended.

for example, the description field, is VARCHAR(50).

so say someone enters "///"

that is supposed to count as 3 characters. but since it gets converted to /, it will count as 15.
Link to comment
Share on other sites
corbin Regular Member

corbin

Posted
Posted
You could do something like
str_replace("/dev/", "[dev]");
and do the same for bin, then do the opposite and replace [dev] and [bin] with /dev/ and /bin/ on the display page... The only problem is, if a user actually put in [dev] or [bin] it would still get converted...
Link to comment
Share on other sites
play_ Advanced Member

play_

Posted
  • Author
Posted
Hi Corbin..
Although your approach is good, it could still cause problems.
Firstly, i thought it was only /dev/.... then i figured out /bin/ caused problems too. Therefore, there could be more dirs that can cause internal errors.


The error happens when i run the query to insert the data into the database..

[code]
$query = "INSERT INTO tablename (nickname, description, language, tabs, text, ip, date_submitted) VALUES ('$nickname', '$description', '$language', '$tabs', '$text', '1', NOW())";
$result = mysql_query($query);[/code]
Link to comment
Share on other sites
play_ Advanced Member

play_

Posted
  • Author
Posted
Functions disabled by safe mode: [url=http://us3.php.net/manual/en/features.safe-mode.functions.php]http://us3.php.net/manual/en/features.safe-mode.functions.php[/url]

Says CHMOD is one of them.
But i have used chmod. therefore safemode must not be on...
Link to comment
Share on other sites
play_ Advanced Member

play_

Posted
  • Author
Posted
Updating for a moment.
The problem seems to happen before i insert it into the database.
this is giving me error:

[code]
<form action="<? $_SERVER['PHP_SELF'].'?paste=pasteID' ?>" method="post">
<table border="0" cellpadding="1" cellspacing="0" class="inputs">
<tr>
<td>Nickname:</td>
<td><input type="text" name="nickname" maxlength="16" class="input_field" /></td>

<td>Description:</td>
<td><input type="text" name="description" size="40" class="input_field" /></td>
</tr>

<tr>
<td>Language:</td>
<td>
<select class="option_style" name="language">
<option value="Plain Text">Plain Text</option>
<?php
foreach($languages as $key=>$value) {
echo '<option value="'.$value.'">'.$value.'</option>';
}
?>
</select>
</td>

<td>Convert tabs?</td>
<td>
<select class="option_style" name="tabs">
<option value="no">No</option>
<?php
foreach($spaces as $key=>$value) {
echo '<option value="'.$value.'">'.$value.'</option>';
}
?>
</select>
</td>
</tr>
</table>

<textarea class="input_field" cols="90" rows="26" name="textarea" style="padding:5px;margin-bottom:5px;"></textarea><br />
<input type="submit" name="submit" value="Send" id="1" onclick="disable(1)" class="submit_button" />
</form>


<?php
// if submit was pressed
if(isset($_POST['submit'])) {
require_once('./connectionscript.php');
$nickname = (escape_data($_POST['nickname']));
$description = escape_data($_POST['description']);
$language = escape_data($_POST['language']);
$tabs = escape_data($_POST['tabs']);
$text = $_POST['textarea'];
$text = str_replace("/dev/", "[dev]", $text);
echo $text;


}
?>[/code]
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.