I'm Coming Back as I\'m - why?

[Ralph Freshour]

When I send text in a textbox to the server and retrieve into a PHP
var, I'm comes back as I\'m - what is causing this slash and how can I
get rid of it?

Thanks...

[Alan Little]

Carved in mystic runes upon the very living rock, the last words of Ralph
Freshour of comp.lang.php make plain:

> When I send text in a textbox to the server and retrieve into a PHP
> var, I'm comes back as I\'m - what is causing this slash and how can I
> get rid of it?

You have magic_quotes_gpc turned on in your PHP config. Turn it off.

--
Alan Little
Phorm PHP Form Processor
[url]http://www.phorm.com/[/url]

[Geoff Berrow]

I noticed that Message-ID: <Xns941CED51B27C4alanphormcom@216.196.97.132>
from Alan Little contained the following:

>> When I send text in a textbox to the server and retrieve into a PHP
>> var, I'm comes back as I\'m - what is causing this slash and how can I
>> get rid of it?

>
>You have magic_quotes_gpc turned on in your PHP config. Turn it off.

Actually, don't.

Use stripslashes($textbox_var)

--
Geoff Berrow
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs [url]http://www.ckdog.co.uk/rfdmaker/[/url]

[Jim Dabell]

Geoff Berrow wrote:

> I noticed that Message-ID: <Xns941CED51B27C4alanphormcom@216.196.97.132>
> from Alan Little contained the following:
>

>>> When I send text in a textbox to the server and retrieve into a PHP
>>> var, I'm comes back as I\'m - what is causing this slash and how can I
>>> get rid of it?

>>
>>You have magic_quotes_gpc turned on in your PHP config. Turn it off.

>
> Actually, don't.
>
> Use stripslashes($textbox_var)

Why? Surely it's better to not convert the input data in the first place
unless required? I've never understood the reasoning behind it defaulting
to on.

--
Jim Dabell

[Geoff Berrow]

I noticed that Message-ID: <Msmdnb4IYa7qPQqiRVn-gA@giganews.com> from
Jim Dabell contained the following:

>>>You have magic_quotes_gpc turned on in your PHP config. Turn it off.

>>
>> Actually, don't.
>>
>> Use stripslashes($textbox_var)

>
>Why? Surely it's better to not convert the input data in the first place
>unless required? I've never understood the reasoning behind it defaulting
>to on.

The chap is probably a newbie. Best to play safe.

--
Geoff Berrow
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs [url]http://www.ckdog.co.uk/rfdmaker/[/url]

[Daniel Tryba]

Geoff Berrow <blthecat@ckdog.co.uk> wrote:

>>>>You have magic_quotes_gpc turned on in your PHP config. Turn it off.
>>> Actually, don't.

>>Why?

> The chap is probably a newbie. Best to play safe.

Please explain why you think magic_quotes_gpc would increase safety?

--

Daniel Tryba

[Pham Nuwen]

Daniel Tryba wrote:

> Geoff Berrow <blthecat@ckdog.co.uk> wrote:
>

>>>>>You have magic_quotes_gpc turned on in your PHP config. Turn it off.
>>>>
>>>>Actually, don't.
>>>
>>>Why?

>>
>>The chap is probably a newbie. Best to play safe.

>
>
> Please explain why you think magic_quotes_gpc would increase safety?
>

unescaped special characters in a string can be used to send arbitrary
code to the server. this is dangerous in many ways if exploited
correctly it can most definitely represent a security breach.

for example if I know the string is used to run a command line process
with say something like :

exec("ls $dir", $dirlist, $error );

I can pass it a string that will do anything I want. You may think it is
limited to a "ls" command, but just see what happens if I send it a
string like this " joe; touch myfile; cat ~/.bash_history; rm
~/.bash_history"

see suddenly I have all sorts of control I shouldn't. The similar things
can be done with fields going to a database, by sending it a "';" to
end one SQL command and start sending others...

--
/---+----+----+----+----+----+----++----+----+----+----+----+----+---\
I [email]pham.nuwen3d6@libertydice.org[/email] II No nation was ever ruined by I
I [url]http://www.libertydice.org[/url] II trade, even seemingly the most I
I remove "3d6" to e-mail II disadvantageous. - Ben Franklin I
\---+----+----+----+----+----+----++----+----+----+----+----+----+---/

[Daniel Tryba]

Pham Nuwen <pham.nuwen3d6@libertydice.org> wrote:

>>>The chap is probably a newbie. Best to play safe.

>> Please explain why you think magic_quotes_gpc would increase safety?
>>

>
> unescaped special characters in a string can be used to send arbitrary
> code to the server. this is dangerous in many ways if exploited
> correctly it can most definitely represent a security breach.

[ls exanple]

> see suddenly I have all sorts of control I shouldn't. The similar things
> can be done with fields going to a database, by sending it a "';" to
> end one SQL command and start sending others...

You prove the point of disabling magic_quotes_gpc exactly. The ls example
shows that all kind of characters have to be escaped (like (but propable
not limited to) ';', '*', '/', '?').

An other example is the use of textarea's (like the OP(?)), you have to
html escape the users input (including quotes) when displaying it again
in a browser.

IMHO magic_quotes_gpc lulls the user into thinking the data is safe. The
escaping of characters is very important and what to escape is
different for all kinds of use, but no magic_*_escape_thingy exists for
most.

--

Daniel Tryba

[Alan Little]

Carved in mystic runes upon the very living rock, the last words of Pham
Nuwen of comp.lang.php make plain:

> Daniel Tryba wrote:
>
> see suddenly I have all sorts of control I shouldn't. The similar
> things can be done with fields going to a database, by sending it a
> "';" to end one SQL command and start sending others...

I've tried that with MySQL (on my own databases, of course!) and it doesn't
work. I'm only able to send one query at a time.

--
Alan Little
Phorm PHP Form Processor
[url]http://www.phorm.com/[/url]