Trying to bypass this... can't have /dev/ in a text field

[play_]

My site is hosted on a linux server.
And as most of us know, the linux OS has a "dev" directory. (which is causing me problems)

I am making a paste bin for own personal use. But whenever a user has [b]/dev/[/b] or [b]/bin/[/b] in his code, and clicks submit, an internal server error occurs. Which is a huge problem because most python scripts start with "#!/usr/bin/ python".

Therefore, how can i bypass this error? Im here reading all sorts of escaping functions and tutorials but can't do it.

You can see the problem here: [url=http://www.urban.decay.nu]www.urban.decay.nu[/url]
just enter /dev/ or /bin/ into any input field and click submit...


Also, i use this function for inserting data into the database:

[code]
//function for escaping and trimming data
function escape_data($data) {
global $dbc;
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
} return mysql_real_escape_string(trim($data), $dbc);
}[/code]

[wildteen88]

change / to its HTML equivalent:

add the following to the end of escape_date function
[code=php:0]$data = str_replace("/", "/", $data);[/code]

SO the function is now:
[code]//function for escaping and trimming data
function escape_data($data) {
global $dbc;
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
}

    $data = mysql_real_escape_string(trim($data), $dbc)

    $data = str_replace("/", "/", $data);

return $data;
}[/code]

[play_]

Thanks wildteen. I will do that, for now.

The problem with that is, the fields will hold less values than intended.

for example, the description field, is VARCHAR(50).

so say someone enters "///"

that is supposed to count as 3 characters. but since it gets converted to /, it will count as 15.

[play_]

bumping because people are off work now

[corbin]

You could do something like
str_replace("/dev/", "[dev]");
and do the same for bin, then do the opposite and replace [dev] and [bin] with /dev/ and /bin/ on the display page... The only problem is, if a user actually put in [dev] or [bin] it would still get converted...

[corbin]

Oh, and if you dont mind me asking, can you maybe post some code so we can see whats causing the 500 error?  Cause it shouldnt react like that...

[play_]

Hi Corbin..
Although your approach is good, it could still cause problems.
Firstly, i thought it was only /dev/.... then i figured out /bin/ caused problems too. Therefore, there could be more dirs that can cause internal errors.


The error happens when i run the query to insert the data into the database..

[code]
$query = "INSERT INTO tablename (nickname, description, language, tabs, text, ip, date_submitted) VALUES ('$nickname', '$description', '$language', '$tabs', '$text', '1', NOW())";
$result = mysql_query($query);[/code]

[corbin]

Hmm just checked and everything is escaping right, so I really dont think its the insert causing the error...

[play_]

what did you type in the text field?

[printf]

It's safe mode restriction!


printf

[play_]

printf, can you give ms/us more details please?

[corbin]

I think he means that PHP is running in safe mode...

[play_]

is that good or bad? and i can/should i turn it off/on?

[corbin]

Ummm I think it has to be changed in the .ini, ive never had any reason to mess with safemode though so im not sure...

[play_]

Yea.
I wonder if it's just my server that does this

[play_]

Functions disabled by safe mode: [url=http://us3.php.net/manual/en/features.safe-mode.functions.php]http://us3.php.net/manual/en/features.safe-mode.functions.php[/url]

Says CHMOD is one of them.
But i have used chmod. therefore safemode must not be on...

[xfezz]

[quote author=play_ link=topic=120169.msg492964#msg492964 date=1167357827]
Yea.
I wonder if it's just my server that does this
[/quote]
weird my server doesnt. you sure you have everything set up correctly?

[play_]

Updating for a moment.
The problem seems to happen before i insert it into the database.
this is giving me error:

[code]
<form action="<? $_SERVER['PHP_SELF'].'?paste=pasteID' ?>" method="post">
<table border="0" cellpadding="1" cellspacing="0" class="inputs">
<tr>
<td>Nickname:</td>
<td><input type="text" name="nickname" maxlength="16" class="input_field" /></td>

<td>Description:</td>
<td><input type="text" name="description" size="40" class="input_field" /></td>
</tr>

<tr>
<td>Language:</td>
<td>
<select class="option_style" name="language">
<option value="Plain Text">Plain Text</option>
<?php
foreach($languages as $key=>$value) {
echo '<option value="'.$value.'">'.$value.'</option>';
}
?>
</select>
</td>

<td>Convert tabs?</td>
<td>
<select class="option_style" name="tabs">
<option value="no">No</option>
<?php
foreach($spaces as $key=>$value) {
echo '<option value="'.$value.'">'.$value.'</option>';
}
?>
</select>
</td>
</tr>
</table>

<textarea class="input_field" cols="90" rows="26" name="textarea" style="padding:5px;margin-bottom:5px;"></textarea><br />
<input type="submit" name="submit" value="Send" id="1" onclick="disable(1)" class="submit_button" />
</form>


<?php
// if submit was pressed
if(isset($_POST['submit'])) {
require_once('./connectionscript.php');
$nickname = (escape_data($_POST['nickname']));
$description = escape_data($_POST['description']);
$language = escape_data($_POST['language']);
$tabs = escape_data($_POST['tabs']);
$text = $_POST['textarea'];
$text = str_replace("/dev/", "[dev]", $text);
echo $text;


}
?>[/code]