...

View Full Version : How to escape the results of a comment form



elitis
02-25-2012, 03:14 AM
How would you escape characters like single ('') and double ("") quotes, back/forward slashes (/\),etc in the results of a comment form?

Inigoesdr
02-25-2012, 04:51 AM
If you are inserting in to a MySQL database you can use mysql_real_escape_string() (http://php.net/mysql_real_escape_string).

elitis
02-25-2012, 07:52 AM
If you are inserting in to a MySQL database you can use mysql_real_escape_string() (http://php.net/mysql_real_escape_string).

I have used it. It adds the forward slashes but echoes them along with the comments. Maybe what I asked isn't exactly what I meant. I want to echo the comments as normal text. I don't want the backslashes echoed as well.

elitis
02-27-2012, 11:28 PM
Issue resolved. Lol, I randomly remembered stripslashes(). Never used it before now but once I thought about my "problem", the name stripslashes just kinda made sense. :)

Fou-Lu
02-27-2012, 11:37 PM
No no, something else is wrong. You shouldn't have to stripslashes.
I would presume you have magic_quotes_gpc enabled. This directive escapes the quotes for you, but it isn't sufficient for database insertions, nor do either magic_quotes or real_escape_string familiar with each other. You need to use stripslashes BEFORE you insert:


if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
$input = stripslashes($input);
}
$input = mysql_real_escape_string($input);

For example. This only needs to be done on data provided through gpc, so anything from a user.


Aaahhh sorry I jumped to conclusions which I can't substantiate. I assumed you are executing stripslashes upon drawing the data from your query. As you can see I executed stripslashes before the insertion (which is what you should do). You don't want to execute stripslashes upon query since if I planned to insert with \\ and magic_quotes_gpc disappears (and it will, its a matter of when not if), then when you stripslash say \\computer\path, it will end up being \computer\path, which is not the intention. Stripslash before insertion, not during selection.

elitis
02-28-2012, 12:12 AM
No no, something else is wrong. You shouldn't have to stripslashes.
I would presume you have magic_quotes_gpc enabled. This directive escapes the quotes for you, but it isn't sufficient for database insertions, nor do either magic_quotes or real_escape_string familiar with each other. You need to use stripslashes BEFORE you insert:


if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
$input = stripslashes($input);
}
$input = mysql_real_escape_string($input);

For example. This only needs to be done on data provided through gpc, so anything from a user.


Aaahhh sorry I jumped to conclusions which I can't substantiate. I assumed you are executing stripslashes upon drawing the data from your query. As you can see I executed stripslashes before the insertion (which is what you should do). You don't want to execute stripslashes upon query since if I planned to insert with \\ and magic_quotes_gpc disappears (and it will, its a matter of when not if), then when you stripslash say \\computer\path, it will end up being \computer\path, which is not the intention. Stripslash before insertion, not during selection.


so, stripslashes() is meant to strip slashes before a data insertion, not after if I understand you correct.
If this is correct (and I don't doubt you are), then why does it say,"This function can be used to clean up data retrieved from a database or from an HTML form" on w3schools.com?


You don't want to execute stripslashes upon query since if I planned to insert with \\ and magic_quotes_gpc disappears (and it will, its a matter of when not if), then when you stripslash say \\computer\path, it will end up being \computer\path, which is not the intention.
This is for a comment box. Users will not be posting anything that has to do with links (and by links I assume \\computer\path could be used as one, if not then not sure of a word for this), including myself as I assume it could be a security flaw

Fou-Lu
02-28-2012, 02:18 AM
Stripslashes was designed for just this. It doesn't matter whether its used before or after when it comes to function usage.

W3schools hasn't a clue what they are doing if they suggest you stripslash retrieved data. They are not thinking ahead to the obvious issue with code that no longer has magic_quotes_gpc enabled. Stripslashes shouldn't be done if the intent isn't to strip the slashes, and with gpc disappearing very soon, querying from the database will result in unintended stripslashes.

This is just a comment box too don't forget. If the comments are for something like programming, you'll see a lot of things that shouldn't be stripslashed such as "Why does this name show as O\'Neil?".

felgall
02-28-2012, 02:36 AM
You shouldn't need to escape quotes in data being passed into a database at all - you just need to use PDO or mysqli prepare and bind statements that keep the data separate from the query so that you don't need to escape the data to avoid it being confused with the SQL in the query.

Fou-Lu
02-28-2012, 05:30 AM
You shouldn't need to escape quotes in data being passed into a database at all - you just need to use PDO or mysqli prepare and bind statements that keep the data separate from the query so that you don't need to escape the data to avoid it being confused with the SQL in the query.

Correct, and this is my recommendation if you have the option available to you. Unfortunately, PDO and MySQLi are both newer PHP technologies as well as requiring certain version's of the DB's in use.
Stipslashes will still have to happen until they get rid of GPC if its enabled. And to expand just slightly, its not that you shouldn't need to escape, its that you cannot escape as they will carry as a part of the data (which would result in the identical behaviour the OP is having right now).

elitis
02-29-2012, 01:58 AM
This is just a comment box too don't forget. If the comments are for something like programming, you'll see a lot of things that shouldn't be stripslashed such as "Why does this name show as O\'Neil?".
The comment box is for a review type website, where users will comment on reviews, news, etc so nothing like programming.
Here's the code I have. What specifically do I need to replace stripslashes with?


<?php
//Reviews start
$result = mysql_query("SELECT * FROM `reviews` ORDER BY `date` DESC LIMIT 10");
while($row = mysql_fetch_array($result))
{
if ($_GET['id'] == $row['id'])
{
$date = $row['date'];
echo stripslashes($row[title]);
echo "<br />";
echo stripslashes($row[review]);
echo "<br />";
echo date("D, F jS", $date);
echo "<h1 class='centered'>Comments</h1>";
}
else
{
echo "<div class='box3'>";
echo stripslashes($row[title]);
echo "<br />";
echo stripslashes($row[description]);
echo "<br />";
echo date("D, F jS", $date);
echo "<a class='special' href=\"/reviews?id={$row['id']}\"> Read More...</a>";
}
//Reviews end

//Comments start
$result = mysql_query("SELECT * FROM `comments` WHERE `category` = 'reviews' AND `subcategory` = '$row[id]' ORDER BY `date` DESC LIMIT 20");
while($comments = mysql_fetch_array($result))
{
if ($_GET['id'] == $row['id'])
{
echo "<br />";
echo "<div class='box'>";
if ($comments['reply_to'] > 0)
{
$get_comment = mysql_query("SELECT * FROM `comments` WHERE `id` = $comments[reply_to]");
while($r_comment = mysql_fetch_array($get_comment))
{
echo "<i>Originally posted by " .stripslashes($r_comment[username]). '</i>';
echo "<br />";
echo "<i> " .stripslashes($r_comment[comment]). '</i>';
echo "<br />";
echo "<i> " .Agotime($r_comment[date]). '</i>';
echo "<hr />";
}
}
echo stripslashes($comments[username]);
echo "<br />";
echo stripslashes($comments[comment]);
echo "<br />";
echo Agotime($comments['date']);
echo "<a class='special' href=\"/reviews?id={$row['id']}&reply={$comments['id']}\"> Reply</a>";
//Replies start
if ($_GET['reply'] == $comments['id'])
{
echo "
<form action='/reviews/' method='POST'>
<input class='field' type='text' name='name' value='Name' required='required' onFocus=\"clearText(this)\" />
<br />
<textarea class='field' name='comment' rows='2' cols='55' required='required'></textarea>
<input type='hidden' name='submitted' value='1' />
<input type='hidden' name='reply' value=\"{$comments['id']}\" />
<input class='specialbutton' type='submit' name='submit' value='Post Comment' />
</form>";
}
echo "<br />
</div>";
//Replies end
}
}
if ($_GET['id'] == $row['id'])
{
echo "
<br />
<div class='box'>
<form action='/reviews/' method='POST'>
<input class='field' type='text' name='name' value='Name' required='required' onFocus=\"clearText(this)\" />
<br />
<textarea class='field' name='comment' rows='2' cols='55' required='required'></textarea>
<input class='specialbutton' type='submit' name='submit' value='Post Comment' />
<input type='hidden' name='submitted' value='1' />
</form>
</div>";
}
//Comments end

$username = mysql_real_escape_string($_POST['name']);
$comment = mysql_real_escape_string($_POST['comment']);
$category = "reviews";
$subcategory = $row['id'];
$reply = mysql_real_escape_string($_POST['reply']);

if ($_POST['submitted'] == 1)
{
if ($username == "")
{
echo "Name is a required field";
exit();
}
if ($comment == "")
{
echo "Comment is a required field";
exit();
}

$sql="INSERT INTO `comments` (username, comment, date, category, subcategory, reply_to)
VALUES
('$username','$comment', NOW(), '$category', '$subcategory', '$reply')";

if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
}
}
?>

felgall
02-29-2012, 02:09 AM
C And to expand just slightly, its not that you shouldn't need to escape, its that you cannot escape as they will carry as a part of the data

The purpose in escaping data when you output it is to avoid having it confused as part of something else - in this case SQL.

With the SQL in the prepare statement and the data in the bind statement there is no possibility of the one being confused for the other and so no need to escape. It is not necessary and therefore there are no escape characters.

elitis
02-29-2012, 02:18 AM
Ok, so if I wanted to use Mysqli or PDO which version would I need? I currently have Mysql 5.0.90 and PHP 5.2.13.
Nevermind...

Fou-Lu
02-29-2012, 03:42 AM
The purpose in escaping data when you output it is to avoid having it confused as part of something else - in this case SQL.

With the SQL in the prepare statement and the data in the bind statement there is no possibility of the one being confused for the other and so no need to escape. It is not necessary and therefore there are no escape characters.

You misunderstand. I was simply expanding on the wording you used; shouldn't isn't correct, it should be cannot (as in you can do it, but don't). Bound values that have been escaped will record as escaped, which will just repeat the vicious cycle as it is not needed to perform any type of escape. If you bind, do not escape (which is what I'm quite sure you were implying, but the wording was open for ambiguity).


Ok, so if I wanted to use Mysqli or PDO which version would I need? I currently have Mysql 5.0.90 and PHP 5.2.13.
Nevermind...

That version is sufficient so long as either PDO or MySQLi has been enabled. You can check the status of both in phpinfo(), or by using something like class_exists.

elitis
02-29-2012, 10:04 PM
You misunderstand. I was simply expanding on the wording you used; shouldn't isn't correct, it should be cannot (as in you can do it, but don't). Bound values that have been escaped will record as escaped, which will just repeat the vicious cycle as it is not needed to perform any type of escape. If you bind, do not escape (which is what I'm quite sure you were implying, but the wording was open for ambiguity).



That version is sufficient so long as either PDO or MySQLi has been enabled. You can check the status of both in phpinfo(), or by using something like class_exists.

Both PDO and MySQLi have been enabled.

elitis
03-01-2012, 04:23 AM
Updated code: Is this right?


<?php
//Reviews start
$result = mysql_query("SELECT * FROM `reviews` ORDER BY `date` DESC LIMIT 10");
while($row = mysql_fetch_array($result))
{
if ($_GET['id'] == $row['id'])
{
$date = $row['date'];
echo $row['title'];
echo "<br />";
echo $row['review'];
echo "<br />";
echo date("D, F jS", $date);
echo "<h1 class='centered'>Comments</h1>";
}
else
{
echo "<div class='box3'>";
echo $row['title'];
echo "<br />";
echo $row['description'];
echo "<br />";
echo date("D, F jS", $date);
echo "<a class='special' href=\"/reviews?id={$row['id']}\"> Read More...</a>";
}
//Reviews end

//Comments start
$result = mysql_query("SELECT * FROM `comments` WHERE `category` = 'reviews' AND `subcategory` = '$row[id]' ORDER BY `date` DESC LIMIT 20");
while($comments = mysql_fetch_array($result))
{
if ($_GET['id'] == $row['id'])
{
echo "<br />";
echo "<div class='box'>";
if ($comments['reply_to'] > 0)
{
$get_comment = mysql_query("SELECT * FROM `comments` WHERE `id` = $comments[reply_to]");
while($r_comment = mysql_fetch_array($get_comment))
{
echo "<i><p>Originally posted by " .$r_comment[username]. '</p></i>';
echo "<i><p> " .$r_comment[comment]. '</p></i>';
echo "<i><p> " .Agotime($r_comment[date]). '</p></i>';
echo "<hr />";
}
}
echo "<p>" .$comments[username]. '</p>';
echo "<p>" .$comments[comment]. '</p>';
echo "<p>" .Agotime($comments[date]). '</p>';
echo "<a class='special' href=\"/reviews?id={$row['id']}&reply={$comments['id']}\"> Reply</a>";
//Replies start
if ($_GET['reply'] == $comments['id'])
{
echo "
<form action='/reviews/' method='POST'>
<input class='field' type='text' name='name' value='Name' required='required' onFocus=\"clearText(this)\" />
<br />
<textarea class='field' name='comment' rows='2' cols='55' required='required'></textarea>
<input type='hidden' name='submitted' value='1' />
<input type='hidden' name='reply' value=\"{$comments['id']}\" />
<input class='specialbutton' type='submit' name='submit' value='Post Comment' />
</form>";
}
echo "<br />
</div>";
//Replies end
}
}
if ($_GET['id'] == $row['id'])
{
echo "
<br />
<div class='box'>
<form action='/reviews/' method='POST'>
<input class='field' type='text' name='name' value='Name' required='required' onFocus=\"clearText(this)\" />
<br />
<textarea class='field' name='comment' rows='2' cols='55' required='required'></textarea>
<input class='specialbutton' type='submit' name='submit' value='Post Comment' />
<input type='hidden' name='submitted' value='1' />
</form>
</div>";
}
//Comments end

$username = stripslashes(mysql_real_escape_string($_POST['name']));
$comment = stripslashes(mysql_real_escape_string($_POST['comment']));
$category = 'reviews';
$subcategory = $row['id'];
$reply = stripslashes(mysql_real_escape_string($_POST['reply']));

if ($_POST['submitted'] == 1)
{
if ($username == "")
{
echo "Name is a required field";
exit();
}
if ($comment == "")
{
echo "Comment is a required field";
exit();
}

$sql="INSERT INTO `comments` (username, comment, date, category, subcategory, reply_to)
VALUES
('$username','$comment', NOW(), '$category', '$subcategory', '$reply')";

if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
}
}
?>

Fou-Lu
03-01-2012, 05:12 AM
No that's incorrect. You need to check if gpc is enabled first, and then escape it. Mysql_real_escape_string is last.


if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
$_POST['name'] = stripslashes($_POST['name']);
//...
}
$username = mysql_real_escape_string($_POST['name']);

elitis
03-01-2012, 09:17 PM
No that's incorrect. You need to check if gpc is enabled first, and then escape it. Mysql_real_escape_string is last.


if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
$_POST['name'] = stripslashes($_POST['name']);
//...
}
$username = mysql_real_escape_string($_POST['name']);


Updated once again. So, what exactly would be the difference between this way of using stripslashes versus what I previously had. Are there any disadvantages or security risks?

Fou-Lu
03-02-2012, 12:28 AM
Without checking gpc it will call stripslashes when addslashes was not implicitly added. Doing so compromises the integrity of the data provided.
Your way executed stripslashes on data that was escaped by the mysql_real_escape_string. If magic_quotes_gpc is not enabled that would cause the insertion of the sql to be exploitable since most of the characters would be returned to their unescaped form.

elitis
03-02-2012, 12:49 AM
Without checking gpc it will call stripslashes when addslashes was not implicitly added. Doing so compromises the integrity of the data provided.
Your way executed stripslashes on data that was escaped by the mysql_real_escape_string. If magic_quotes_gpc is not enabled that would cause the insertion of the sql to be exploitable since most of the characters would be returned to their unescaped form.

So, my way posed a security risk, and with this I believe my issue is resolved, unless there is more to do or I have more errors in the code.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum