Welcome, Guest. Please login or register.
Did you miss your activation email?
05/23/12, 02:27
Home Help Search Login Register
News: Parsley Flex framework review featuring quiz application, in our Flex frameworks series
Flex SDK 4.5 mobile roadmap: begin with your mobile development
Swiz Flex framework review featuring quiz application
New homepage we release our new Homepage, take a look ...

+  Flash-db
|-+  Server side Scripting and Database Support
| |-+  PHP, Perl, ASP, JSP, CFM (Moderators: Flash-db, Musicman, vesa kortelainen, Ronald Wernecke, Jorge Solis, nothingGrinder)
| | |-+  God bless stripslashes!		 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Print
Author Topic: God bless stripslashes!  (Read 2504 times)
the pale e
Server what's that
*
Posts: 39


We are gathered here together....

paleemediafanatics@hotmail.com
View Profile WWW Email
« on: 01/30/02, 13:42 »
I was having a problem with slashes being added in from a text field while passing data from swf to a little PHP writting script!  But rejoice! Adding stripslashes to the script cleaned it up SLICKLY!  One line, and my suffering was OVER!

<?

$text = stripslashes($text); //this line works some sexy magic!

$filename = $current;
$out = fopen($filename, "w+");
fwrite ($out,"text=".$text);
fclose ($out);

?>

Thanks Jeff!  Thanks Flash DB!

Thx,
the pale e
Logged
Web visionaries UNITE!!!
Musicman
Administrator
Systems Administrator
*****
Posts: 2685



View Profile WWW Email
« Reply #1 on: 01/30/02, 17:10 »
A comment on the real virtues of slashes: if you use database (e.g. mysql) and someone adds a ' to their input, this is likely to produce invalid sql syntax. It is also possible to create "harmful" sql.
So php escapes all user-provided variables to prevent mischief. If you need data values for anything but database, you usually want to stripslashes

Musicman
Logged
Flash-db
Administrator
Systems Administrator
*****
Posts: 1867



View Profile WWW
« Reply #2 on: 01/30/02, 18:41 »
Hey Musicman,

I had a couple of questions regarding this area.  First of all, I used to use some regular expressions to filter the data and replace anything and everything that wasn't considered safe.  An example would be:

$email = ereg_replace("[^A-Za-z0-9 \@\.\-\ ]", "", $email);

But as you can tell this gets really annoying.  And their's always some symbol that someone want's to use or uses at some point (like a ~) that I had not included.  So my question is what's the best way to filter the data and make sure that all of the characters are safe and will not cause an SQL error.  And what would be some examples of character patterns that would cause an Error - I can think of some - but I'm sure you've got a better idea of what they would be.  

Is their a standard reg ex, filter method, or function that is safe to use on all text entered into a database - where their is no chance that any of the characters will cause an error.  

Thanks.
Logged
-Jeff.
Musicman
Administrator
Systems Administrator
*****
Posts: 2685



View Profile WWW Email
« Reply #3 on: 01/30/02, 19:17 »
Hi,

addslashes() is safe for database use, but you may still want to check other data fields according to rules specific for those fields. But, you are right, you will eventually find valid input that a given regex does not handle.
Especially very sophisticated ones (like some email checkers) in fact block valid input that the designer of the regex did not anticipate.
Examples for this: a domain name may well include a dash, there may be three dots like in john@johnssite.provider.com, and with .name, .museum etc. domains the tld part is no longer restricted to 2 or 3 chars

Musicman
Logged
Pages: [1] Print 
« previous next »
Jump to:  


Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!
anything