Jump to content


Photo

Evil String Error In Forms


  • Please log in to reply
5 replies to this topic

#1 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 30 March 2006 - 11:56 AM

Hello,

I have various forms with multiple fields. For example one field is company name. If a user provides joe's crab shack as the company name a problem arises.

I store textfield values into mysql, and then pull the results in many different ways, but one way is using javascript. EXAMPLE:

document.getElementById('layer2').innerHTML = '<? echo $row['company_name']; ?>';

This causes a problem with joe's crab shack. The javascript tag thinks the single quote in joe's is the closing quote of the innerHTML tag and causes a javascript error. NOT good.

What is the fix? I thought of two solutions:

1.) Strip out all single quotes(primes) out of all form fields before I store in mysql.
2.) Convert all single quotes(primes) into the html form '& prime;' before I store into mysql.

Which method is better? How do I go about doing this in forms? I would like to NOT have to manually type all the form fields in many forms and do the string replace. I.E. not do:

$first_name = do what needs to be done
$last_name = do what needs to be done
$company = do what needs to be done
ETC, ETC, ETC..

Is there a way to get all POST variables and then do the required fix (either strip, or convert)?

I am thinking:

foreach($_POST as $current)
{
   $current = do what needs to be done
}

Also, I havent tested, but does a problem arise if the user puts in '?' or '&' into a form field? It would seem so since these characters are special characters for the GET header string. Thanks.

#2 redbullmarky

redbullmarky
  • Staff Alumni
  • Advanced Member
  • 2,863 posts
  • LocationBedfordshire, England

Posted 30 March 2006 - 12:16 PM

hi

for your first problem, you should be able to use 'addslashes' to escape your quotes, so: joe's will become joe\'s in your code but the slashes will dissappear when you use 'echo $row['company_name']. try it:

document.getElementById('layer2').innerHTML = '<? echo addslashes($row['company_name']); ?>';


as for your second bit - i'll use 'trim' as an example:

this if you want to alter the post vals directly
foreach($_POST as $key=>$current)
{
   $_POST[$key] = trim($current);
}

or this if you want to deal with the post vals but don't wanna do processing directly on the $_POST array:

$postvals = array();

foreach($_POST as $key=>$current)
{
   $postvals[$key] = trim($current);
}
you now have $postvals which is a processed equivalent of your $_POST array, leaving $_POST alone.

hope that helps.
"you have to keep pissing in the wind to learn how to keep your shoes dry..."

I say old chap, that is rather amusing!

#3 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 30 March 2006 - 12:49 PM

redbullmarky,

Looking at my code, I think I am going to have a problem implemeting:

foreach($_POST as $key=>$current)
{
   $_POST[$key] = trim($current);
}

I want to do this code after the form as been submitted, but before I store the values into mysql. The problem is, I do a check if $submit_button = "Submit" then I do all my work. At that time then I reference as the post variables are simply $company_name instead of $_POST['company_name']. So I cant do foreach($_Post). What do you recommend? Here is my code:

if($action == "Create Referral Account")
        {
            if()
                        //** A WHOLE BUNCH OF ERROR CHECKING THE FORM **//
            else
            {
                //Set custom industry to industry
                if($industry == "Other" && $custom_industry != null)
                {
                    $industry = $custom_industry;
                }
                
                //Strip spaces out of password
                $password = str_replace(" ", '', $password);
                
                //Encrypt password
                $password = encrypt($password, $key);
                
                //SQL work
                $sql = "INSERT INTO accounts
                (
                    title, first_name, last_name, company_name, mailing_address, city, state, zip, website, email_address, phone_number, fax_number,
                    industry, username, password, date_created, date_last_modified, ip_who_created, ip_who_last_modified 
                )     
                VALUES 
                (
                
                    '$title', '$first_name', '$last_name', '$company_name', '$mailing_address', '$city', '$state', '$zip', '$website', '$email_address', '$phone_number', '$fax_number',
                    '$industry', '$username', '$password', '" . date('Y-m-d G:i:s', time() - $time_offset) . "', '" . date('Y-m-d G:i:s', time() - $time_offset) . "', '$ip', '$ip'
                )";
                mysql_query($sql) || die(mysql_error());
                
                echo '<p align="center"><br>Thank you! Your referral account was created <b>successfully</b>! Click <a href="index.php"> <b>here</a></b> to continue and log in to your account now!<br><br>' . $account_created_sucessfully_body . '<br><br></p>';
                echo '</td></tr></table>';
                include ("includes/footer.php");
                echo '</body></html>';
                die();
            }
        }


#4 redbullmarky

redbullmarky
  • Staff Alumni
  • Advanced Member
  • 2,863 posts
  • LocationBedfordshire, England

Posted 30 March 2006 - 01:10 PM

if a value comes from $_POST, then ALWAYS refer to it as $_POST['company_name'], not $company_name. even with the submit button, which has a $_POST value of its own. same with the URL. if you're expecting something from the URL, ALWAYS use $_GET. not only does it keep things secure, but when it comes to debugging your code in the future, having $_POST and $_GET in their right places will make things easier to see where you expect variables to come from.

either way, you can still access the $_POST array in the way i mentioned, regardless of how you refer to the values afterwards.

cheers
Mark
"you have to keep pissing in the wind to learn how to keep your shoes dry..."

I say old chap, that is rather amusing!

#5 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 30 March 2006 - 01:24 PM

Humm, I kind of thought that was the point of using Post. Once the form is submitted, all the values are updated into a variables which can be referenced by the field name.

So name goes from $_POST['name'] to just $name.

Let me play around with my code and see if I can get addslashes to fix the problem though.

#6 redbullmarky

redbullmarky
  • Staff Alumni
  • Advanced Member
  • 2,863 posts
  • LocationBedfordshire, England

Posted 30 March 2006 - 01:37 PM

[!--quoteo(post=360000:date=Mar 30 2006, 02:24 PM:name=JustinK101)--][div class=\'quotetop\']QUOTE(JustinK101 @ Mar 30 2006, 02:24 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Humm, I kind of thought that was the point of using Post. Once the form is submitted, all the values are updated into a variables which can be referenced by the field name.

So name goes from $_POST['name'] to just $name.

Let me play around with my code and see if I can get addslashes to fix the problem though.
[/quote]

they CAN be. but it's very bad practice and relies on Register_globals to be turned on in your php config file. and as this is generally turned off nowadays by default, and will eventually disappear altogether, youre best to use the full syntax.

on a safety note - if you don't explicitly specify where youre getting the data from (ie $_POST, $_GET, $_COOKIE, etc) then what happens if a variable is supposed to be set via posting of a form but someone sticks a URL parameter in your script? opens up all sorts of issues, not to mention potential clashes with other variables.
"you have to keep pissing in the wind to learn how to keep your shoes dry..."

I say old chap, that is rather amusing!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users