[Resolved] Bottom line on stripslashes, please..

Dolemite50

I've checked the online manual but am still very confused about stripslashes and mysql. After refering to numerous posts here my code is now chuck full of addslashes, stripslashes, urlencode, urldecode, string replaces, magic quotes this and rawurlencode that. I need help. Every time I change something it messes up something else. The data shows one way in mySQL and different when echoed.

Can somebody please give me a bottom line on the best strategy to use? Basically all I am trying to accomplish is to have people be able to build a profile page with a picture. The picture will not be stored in mysql but thier profiles will.
I want to allow spaces and apostrophes in thier info.

I'm not asking for an entire script here, just some sound advice on the best approach to take regarding stripslashes and the such.

Thanks alot.

laserlight

Here are 3 functions that I use from time to time:

//for storage to database
function prepIn($input) {
	$input = trim($input);
	if (!get_magic_quotes_gpc()) {
		return addslashes($input);
	}
	return $input;
}

//for o/p to html page, textbox or textarea
function prepOut($output) {
	$output = stripslashes($output);
	return htmlspecialchars($output);
}

//for multi-line o/p to html page
function prepOutNl($output) {
	$output = stripslashes($output);
	$output = htmlspecialchars($output);
	return nl2br($output);
}

Note that uses stripslashes() for output from database probably is unnecessary.

Dolemite50

Hi,
Thanks alot laser. So would you say this is a good catch all to just go over my entire site and change the input and output to use these functions? Is there any other sort of "golden rule" I should know?

Thanks again.

Dolemite50

Hey,
That works great laser, thanks alot.

I have a question, though. Can anybody tell me how I would apply those functions to alot of variables? I am currently getting my variables like this:

$location = "{$POST['location']}";
$website = "{$POST['website']}";
$msngr = "{$_POST['msngr']}"

..etc

What is the most effecient way to send all of the variables through the function? Could I do it all in one step?

Thanks for any feedback.

xblue

is that what you are looking for?

if (get_magic_quotes_gpc()) {
    $_POST = array_map ("stripslashes", $_POST);
}

if (!get_magic_quotes_gpc()) {
    $_POST = array_map ("addslashes", $_POST);
}

laserlight

I think that it may be safer to manually list the variables in question, and so possibly avoid (an unlikely) malicious injection of values.

On the other hand, applying something like what xblue suggested and then explicitly using the variables in your script should be just as safe.

Conversely, you could try something along the lines of:

function prepAll() {
	$num = func_num_args();
	if ($num > 1) {
		$variables = func_get_arg(0);
		if (is_array($variables) && count($variables) == $num) {
			$fn = $variables[0];
			if (function_exists($fn)) {
				for ($i = 1; $i < $num; $i++) {
					global ${$variables[$i]};
					${$variables[$i]} = $fn(func_get_arg($i));
				}
				return true;
			} else {
				return false;
			}
		} else {
			return false;
		}
	} else {
		return false;
	}
}

$variables = array('prepIn', 'location', 'website', 'msngr');
prepAll($variables, $_POST['location'], $_POST['website'], $_POST['msngr']);

But then there's an inefficiency in using the functions in this way.

Dolemite50

Thanks again. 🙂

Laser, on the above code, what does the 'prepIn' mean?

$variables = array('prepIn', 'location', 'website', 'msngr');

Dolemite50

Oh man, if I could send this one over to the newbie board I would.
I'm screwing this all up. Can you please show me how to accomplish what I'm trying here? I dont think I know how to use the function properly.
Dont laugh:

                                       $bandName = $row['bandName'];
									$location = $row['location'];
									$website = $row['website'];
									function prepOut2($bandName) { 
   									 $bandName = stripslashes($bandName); 
   									 return htmlspecialchars($bandName); 
									}		
									function prepOut2($location) { 
   									 $stitle = stripslashes($location); 
   									 return htmlspecialchars($location); 
									}		
									function prepOut2($website) { 
   									 $stitle = stripslashes($website); 
   									 return htmlspecialchars($website); 
									}

that gave me an error that I was declaring prepout2 twice.

Help please!

Weedpacket

Once you've declared a function (and you only declare it once), you can use it over and over again; the idea is to cut down on the amount of duplicated code in your programs.

function prepOut2($text_to_prep) { 
    $text_to_prep = stripslashes($text_to_prep); 
    return htmlspecialchars($text_to_prep); 
}        


$bandName = prepOut2($row['bandName']);
$location = prepOut2($row['location']);
$website = prepOut2($row['website']);

Dolemite50

Thanks alot.

Just to avoid another headache I think I better just ask this before I make another ton of changes.

Is it OK to send the variable through the function straight from the POST?

Like this..?

function prepOut2($text_to_prep) {

$text_to_prep = stripslashes($text_to_prep);

return htmlspecialchars($text_to_prep);

}

$bandName = prepOut2({$_POST['bandName']};

Do I need to use quotes in that anywhere?

I'm sorry to run this into the ground but every time I change something it involves several pages, so I just want to be sure..

Thanks again.

Weedpacket

$bandName = prepOut2({$POST['bandName']};

$bandName = prepOut2($_POST['bandName']);

I'm sorry to run this into the ground but every time I change something it involves several pages, so I just want to be sure..

It helps to write small (like 3-4 lines) scripts that just test out ideas before using them in your actual program. I do it all the time whenever I need to refresh my understanding. Here's one I've got lying around right now from another problem (in it's entirety):

<?php

function cus($r)
{
	if(!isset($r))
		return "Isn't set!";
	else
		return "Set";
}

echo cus(null);
?>

I wanted to check if a variable with a null value counted as being "set" or not.

laserlight

Laser, on the above code, what does the 'prepIn' mean?

hmm... I think I went a bit too far for you, without explaining.

'prepIn' is the name of the function, i.e. prepIn() that you wish to use with this particular set of variables.
prepAll() uses it as a variable function, and should call the correct function if it exists.

Dolemite50

Thanks so much again,

I am just plain getting frustrated here. For some reason I am still having trouble. Here is my code right now.

function prepIn($input) { 
						 $input = trim($input); 
    					if (!get_magic_quotes_gpc()) { 
       					 return addslashes($input); 
   						 } 
  						  return $input; 
		}				

$bandName = prepIn($_POST['bandName']);

$sql = "UPDATE band_page SET bandName='$bandName', location='$location' WHERE bandid = '$userid'";
											$result = mysql_query($sql, $conn) or die(mysql_error());

If I enter a band name like Tom's Band, and then go into phpmyadmin it displays it as Tom's band. Then on another page I have this code:

function prepOut($input) {
 $input = stripslashes($input);
return htmlspecialchars($input); 
  $getbname = "SELECT bandName, bandid from $table  WHERE bandid = '$userid'";
									$result1 = mysql_query($getbname, $conn) or die(mysql_error());
									$row2 = mysql_fetch_assoc($result1);		
									$bandName = prepOut($row2['bandName']);
						}
{

at this point if i end that with exit($bandName) , it says Tom's Band.

but right after it I have this code:

$sql = "INSERT INTO $table2 SET stitle='$stitle', bandName='$bandName', bandid = '$userid'

and am getting a fatal mysql error that says check for the syntax to use near " 's Band bandid = '5' ?
Does this mean that its going into the DB wrong? Should it be in the db with slashes at this point? Does that mean that magic quotes is on?

Sorry guys,..sooooo confused.
😕 😕

Dolemite50

Hi,
Can anybody please give me an idea of how to troubleshoot this? I've come to far to turn back now! By using the above functions should the band name be in the database with slashes? It isnt. Does that mean that magic quotes is turned on?

Im sorry but I cant even believe how much trouble a simple apostrophe is giving me. Ive invested about 50 hours trying to resolve it and it has now become my Achilles Heel. Any help would be much appreciated.

Dolemite50

Hi,

Just wanted to let you know I resolved it. For some reason if I used the prepIn($bandName) it wouldn't work but if I used addslashes it did. Oh well, whatever works. 🙂

Thanks alot for all the help on this one.