Evil String Error In Forms

[JustinK101]

Hello,

I have various forms with multiple fields. For example one field is company name. If a user provides joe's crab shack as the company name a problem arises.

I store textfield values into mysql, and then pull the results in many different ways, but one way is using javascript. EXAMPLE:

[code]
document.getElementById('layer2').innerHTML = '<? echo $row['company_name']; ?>';
[/code]

This causes a problem with joe's crab shack. The javascript tag thinks the single quote in joe's is the closing quote of the innerHTML tag and causes a javascript error. NOT good.

What is the fix? I thought of two solutions:

1.) Strip out all single quotes(primes) out of all form fields before I store in mysql.
2.) Convert all single quotes(primes) into the html form '& prime;' before I store into mysql.

Which method is better? How do I go about doing this in forms? I would like to NOT have to manually type all the form fields in many forms and do the string replace. I.E. not do:

$first_name = do what needs to be done
$last_name = do what needs to be done
$company = do what needs to be done
ETC, ETC, ETC..

Is there a way to get all POST variables and then do the required fix (either strip, or convert)?

I am thinking:

[code]
foreach($_POST as $current)
{
   $current = do what needs to be done
}
[/code]

Also, I havent tested, but does a problem arise if the user puts in '?' or '&' into a form field? It would seem so since these characters are special characters for the GET header string. Thanks.

[redbullmarky]

hi

for your first problem, you should be able to use 'addslashes' to escape your quotes, so: joe's will become joe\'s in your code but the slashes will dissappear when you use 'echo $row['company_name']. try it:

[code]
document.getElementById('layer2').innerHTML = '<? echo addslashes($row['company_name']); ?>';
[/code]


as for your second bit - i'll use 'trim' as an example:

this if you want to alter the post vals directly
[code]
foreach($_POST as $key=>$current)
{
   $_POST[$key] = trim($current);
}
[/code]

or this if you want to deal with the post vals but don't wanna do processing directly on the $_POST array:

[code]
$postvals = array();

foreach($_POST as $key=>$current)
{
   $postvals[$key] = trim($current);
}
[/code]
you now have $postvals which is a processed equivalent of your $_POST array, leaving $_POST alone.

hope that helps.

[JustinK101]

redbullmarky,

Looking at my code, I think I am going to have a problem implemeting:

[code]
foreach($_POST as $key=>$current)
{
   $_POST[$key] = trim($current);
}
[/code]

I want to do this code after the form as been submitted, but before I store the values into mysql. The problem is, I do a check if $submit_button = "Submit" then I do all my work. At that time then I reference as the post variables are simply $company_name instead of $_POST['company_name']. So I cant do foreach($_Post). What do you recommend? Here is my code:

[code]
if($action == "Create Referral Account")
        {
            if()
                        //** A WHOLE BUNCH OF ERROR CHECKING THE FORM **//
            else
            {
                //Set custom industry to industry
                if($industry == "Other" && $custom_industry != null)
                {
                    $industry = $custom_industry;
                }
                
                //Strip spaces out of password
                $password = str_replace(" ", '', $password);
                
                //Encrypt password
                $password = encrypt($password, $key);
                
                //SQL work
                $sql = "INSERT INTO accounts
                (
                    title, first_name, last_name, company_name, mailing_address, city, state, zip, website, email_address, phone_number, fax_number,
                    industry, username, password, date_created, date_last_modified, ip_who_created, ip_who_last_modified
                )     
                VALUES
                (
                
                    '$title', '$first_name', '$last_name', '$company_name', '$mailing_address', '$city', '$state', '$zip', '$website', '$email_address', '$phone_number', '$fax_number',
                    '$industry', '$username', '$password', '" . date('Y-m-d G:i:s', time() - $time_offset) . "', '" . date('Y-m-d G:i:s', time() - $time_offset) . "', '$ip', '$ip'
                )";
                mysql_query($sql) || die(mysql_error());
                
                echo '<p align="center"><br>Thank you! Your referral account was created <b>successfully</b>! Click <a href="index.php"> <b>here</a></b> to continue and log in to your account now!<br><br>' . $account_created_sucessfully_body . '<br><br></p>';
                echo '</td></tr></table>';
                include ("includes/footer.php");
                echo '</body></html>';
                die();
            }
        }
[/code]

[redbullmarky]

if a value comes from $_POST, then ALWAYS refer to it as $_POST['company_name'], not $company_name. even with the submit button, which has a $_POST value of its own. same with the URL. if you're expecting something from the URL, ALWAYS use $_GET. not only does it keep things secure, but when it comes to debugging your code in the future, having $_POST and $_GET in their right places will make things easier to see where you expect variables to come from.

either way, you can still access the $_POST array in the way i mentioned, regardless of how you refer to the values afterwards.

cheers
Mark

[JustinK101]

Humm, I kind of thought that was the point of using Post. Once the form is submitted, all the values are updated into a variables which can be referenced by the field name.

So name goes from $_POST['name'] to just $name.

Let me play around with my code and see if I can get addslashes to fix the problem though.

[redbullmarky]

[!--quoteo(post=360000:date=Mar 30 2006, 02:24 PM:name=JustinK101)--][div class=\'quotetop\']QUOTE(JustinK101 @ Mar 30 2006, 02:24 PM) [snapback]360000[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Humm, I kind of thought that was the point of using Post. Once the form is submitted, all the values are updated into a variables which can be referenced by the field name.

So name goes from $_POST['name'] to just $name.

Let me play around with my code and see if I can get addslashes to fix the problem though.
[/quote]

they CAN be. but it's very bad practice and relies on Register_globals to be turned on in your php config file. and as this is generally turned off nowadays by default, and will eventually disappear altogether, youre best to use the full syntax.

on a safety note - if you don't explicitly specify where youre getting the data from (ie $_POST, $_GET, $_COOKIE, etc) then what happens if a variable is supposed to be set via posting of a form but someone sticks a URL parameter in your script? opens up all sorts of issues, not to mention potential clashes with other variables.