[PHP] Quotes in GET variables
If I submit a string to a script via GET which contains quotes, how should they appear in my script? Eg: --- test.php --- echo $HTTP_GET_VARS['test']; Go to: test.php?test=this+doesn%27t+work .. and you get: this doesn\'t work (Char 27 is a single quote. Echoing $test gives the same result.) I can use stripslashes lose the escape char, but should this be necessary? I'm using v4.0.4pl1 -- Mark Rogers Lose the -news in the email address if replying direct -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
> It's a feature of PHP that it automatically escapes data submitted in > PUT/GET/etc. It didn't seem to be happening with POST which is why I thought it odd, but that probably means I didn't test properly :-) > It's nice in that it adds to how secure PHP code is, but it can be a hassle. Out of curiousity, what are the security implications? Presumably a failure to validate input properly leading to unintended actions, but I can't think of any examples to help me decide whether to turn this off. Thanks for the quick response. -- Mark Rogers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
> Anyway, it's not a big thing if you're _really_ stringent about how you > check every single variable which is used in a database query, > system/passthru/exec, or eval command, and your checking methods are > flawless, but otherwise it's just best to go to the trouble of hacking > around the input explicitly. Obviously my code is perfect, so I don't need to worry - but I'll leave it set as default anyway :-) One thing I do avoid is using register_globals, which removes some of the threats suggested elsewhere in this thread. I do validate user input fairly thoroughly, but it's always better to be safe. The reason I asked the question was because I wasn't sure the behavior I was seeing was correct, and didn't want to fix loads of code that I'd have to un-fix later on. Now I know what's going on I'll go ahead with the fixes. Saves me remembering to change PHP.INI on other machines, if nothing else. Thanks for the help. -- Mark Rogers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
