Quotes and the invisible string

This probably very basic, but my searches and attempts sofar have brought me
nowhere. This is the situation: I have a form with a city field which is
submitted for validation before data are entered into a db. When errors are
found, the user sees the form again with all posted values again in their
respective fields. This all works pretty fine ... except when I have an
entry which starts with a single quote ('). As soon as such an entry is
posted, it will never turn up in the form again after validation.
I found out (at least that is what people are making me believe ;) ) that
this has something to do with magic_quotes being on in the php.ini.
I have tried all kinds of combinations of stripslashes and addslashes, have
used get_magic_quotes_gpc(); to turn it of, even set it to off in my
configuration ... nothing helps: the value will not show up the second time
the form is displayed.

This is what i have
THE FORM PART
<input name='city' type='text' value='".$_POST['city']."' class='big' />


THE VALIDATION
if(!isValid("name", $_POST['city'])){
$errorFlag = false;
$errors['errors'] = true;
$errors['city_err'] = true;
}

THE PART OF THE ISVALID function used
function isValid($type, $string){
$string = trim($string);
switch ($type){
//...
case "name":
return ereg(VALID_NAME,$string);
break;
//...
default:
echo "No valid type specified for check";
break;
}
}


THE REGEXP (which would now return a false for any city with a ' ,but that's
beside the point I think)
define("VALID_NAME","^([A-Z]{1})([a-zA-Z\s \-]+)([a-z])$");

I'm really running out of options here, so if anyone could shed a light on
this ..

Thanks,
John

On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
wrote:
> This probably very basic, but my searches and attempts sofar have brought me
> nowhere. This is the situation: I have a form with a city field which is
> submitted for validation before data are entered into a db. When errors are
> found, the user sees the form again with all posted values again in their
> respective fields. This all works pretty fine ... except when I have an
> entry which starts with a single quote ('). As soon as such an entry is
> posted, it will never turn up in the form again after validation.
> I found out (at least that is what people are making me believe ;) ) that
> this has something to do with magic_quotes being on in the php.ini.
> I have tried all kinds of combinations of stripslashes and addslashes, have
> used get_magic_quotes_gpc(); to turn it of, even set it to off in my
> configuration ... nothing helps: the value will not show up the second time
> the form is displayed.
>
> This is what i have
> THE FORM PART
> <input name='city' type='text' value='".$_POST['city']."' class='big' />
>
> THE VALIDATION
> if(!isValid("name", $_POST['city'])){
> $errorFlag = false;
> $errors['errors'] = true;
> $errors['city_err'] = true;
> }
>
> THE PART OF THE ISVALID function used
> function isValid($type, $string){
> $string = trim($string);
> switch ($type){
> //...
> case "name":
> return ereg(VALID_NAME,$string);
> break;
> //...
> default:
> echo "No valid type specified for check";
> break;
> }
>
> }
>
> THE REGEXP (which would now return a false for any city with a ' ,but that's
> beside the point I think)
> define("VALID_NAME","^([A-Z]{1})([a-zA-Z\s \-]+)([a-z])$");
>
> I'm really running out of options here, so if anyone could shed a light on
> this ..
>
> Thanks,
> John


if when you post the form it posts back to the same script which
displays again then
<input name='city' type='text' value='".$_POST['city']."' class='big' /
>
will _always_ result in showing whatever has been posted in the cirty
input despite the validation - unless there is more to your code that
you have shown us. (unless the $_POST['city'] is set to '' if it is
not valid)
It also seems odd that the $errorFlag is set to false if there /is/ an
error.

You seem to suggest that it is the only field that is validated in
this way. How is it alone submitted for validation before the data is
submitted? XHR? Is it submitted along with the rest of the form, and
yet the only one that is validated.

If you want to post more, do so, it's the only way you will get the
definitive answers you want. As it stands it's really only speculation
you have got, which is why people are talking about such things as
magic quotes and so on....

shimmyshack wrote:

> On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
> wrote:

>> have used get_magic_quotes_gpc(); to turn it of,

You can't turn off magic quotes - you can try setting it false but if has
been set aynwhere, it stays set - this is a big part of why most people
hate it.

>>
>> This is what i have
>> THE FORM PART
>> <input name='city' type='text' value='".$_POST['city']."' class='big' />
>>
<snip>

So if $_POST['city'] contains Brig O' Doon (and magic quotes is off) then
that line will read
<input name='city' type='text' value='Brig O' Doon' class='big' />
a safer bet would be:

<input name='city' type='text' value='".htmlentites($_POST['city'])."'
class='big' />

As to what happens with magic quotes - I don't know. Try viewing the source
code of your page and checking the traffic with tamperdata or
ieHTTPHeaders.

The regexp looks OK but a more elegant solution than disallowing certain
characters is to accomodate them safely.

You might want to look at the OWASP toolkit too.

HTH

C.

On 29 Mar, 22:59, Colin McKinnon
<colin.thisisnotmysurn...@ntlworld.deletemeunlessU RaBot.com> wrote:
> shimmyshack wrote:
> > On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
> > wrote:
> >> have used get_magic_quotes_gpc(); to turn it of,
>
> You can't turn off magic quotes - you can try setting it false but if has
> been set aynwhere, it stays set - this is a big part of why most people
> hate it.
>
>
>
> >> This is what i have
> >> THE FORM PART
> >> <input name='city' type='text' value='".$_POST['city']."' class='big' />
>
> <snip>
>
> So if $_POST['city'] contains Brig O' Doon (and magic quotes is off) then
> that line will read
> <input name='city' type='text' value='Brig O' Doon' class='big' />
> a safer bet would be:
>
> <input name='city' type='text' value='".htmlentites($_POST['city'])."'
> class='big' />
>
> As to what happens with magic quotes - I don't know. Try viewing the source
> code of your page and checking the traffic with tamperdata or
> ieHTTPHeaders.
>
> The regexp looks OK but a more elegant solution than disallowing certain
> characters is to accomodate them safely.
>
> You might want to look at the OWASP toolkit too.
>
> HTH
>
> C.

well done Colin, I didn't spot that, I looked but was fooled by the "
around the $_POST['city'] - that of course is it, simple as that.
[provided he does indeed get nothing only when the city is prepended
by an apostrophe] I couldn't be bothered to open with "be more secure"
because I hadn't seen the rest of his code. I wouldn't be at all
surprised if there's no filtering before the db, or any any of the
other fields. After a while you just get tired of beating the security
drum - it makes you look like a one trick pony!

Thanks for the input guys. There's more fields to check, but didn't want ot
bother you with all of them as the problem occurs in any field whenever a
single quote is part of the string. For now I merely have a problem getting
data back into the field after validation as soon as a quote is part of the
data.
I'm talking merely validation here and not (yet) about filtering before
entering the data into a db. I am aware of security issues here (as far as I
can be, being only a beginner in PHP), but would welcome any tips in this
area (got a 300 page book here on the matter but haven't found time yet to
dive into it). I can imagine you guys getting tired at times of beating the
security drum; know that I am aware, and will do the best I can ;) In the
meantime ... just keep breathing ;)

Thanks for your input.

Cheers,
John

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1175207250.550677.271870@r56g2000hsd.googlegr oups.com...
> On 29 Mar, 22:59, Colin McKinnon
> <colin.thisisnotmysurn...@ntlworld.deletemeunlessU RaBot.com> wrote:
>> shimmyshack wrote:
>> > On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
>> > wrote:
>> >> have used get_magic_quotes_gpc(); to turn it of,
>>
>> You can't turn off magic quotes - you can try setting it false but if has
>> been set aynwhere, it stays set - this is a big part of why most people
>> hate it.
>>
>>
>>
>> >> This is what i have
>> >> THE FORM PART
>> >> <input name='city' type='text' value='".$_POST['city']."' class='big'
>> >> />
>>
>> <snip>
>>
>> So if $_POST['city'] contains Brig O' Doon (and magic quotes is off) then
>> that line will read
>> <input name='city' type='text' value='Brig O' Doon' class='big' />
>> a safer bet would be:
>>
>> <input name='city' type='text' value='".htmlentites($_POST['city'])."'
>> class='big' />
>>
>> As to what happens with magic quotes - I don't know. Try viewing the
>> source
>> code of your page and checking the traffic with tamperdata or
>> ieHTTPHeaders.
>>
>> The regexp looks OK but a more elegant solution than disallowing certain
>> characters is to accomodate them safely.
>>
>> You might want to look at the OWASP toolkit too.
>>
>> HTH
>>
>> C.
>
> well done Colin, I didn't spot that, I looked but was fooled by the "
> around the $_POST['city'] - that of course is it, simple as that.
> [provided he does indeed get nothing only when the city is prepended
> by an apostrophe] I couldn't be bothered to open with "be more secure"
> because I hadn't seen the rest of his code. I wouldn't be at all
> surprised if there's no filtering before the db, or any any of the
> other fields. After a while you just get tired of beating the security
> drum - it makes you look like a one trick pony!
>
>

On 30 Mar, 12:37, "Laiverd.COM" <share_your_knowle...@someserver.nl>
wrote:
> Thanks for the input guys. There's more fields to check, but didn't want ot
> bother you with all of them as the problem occurs in any field whenever a
> single quote is part of the string. For now I merely have a problem getting
> data back into the field after validation as soon as a quote is part of the
> data.
> I'm talking merely validation here and not (yet) about filtering before
> entering the data into a db. I am aware of security issues here (as far as I
> can be, being only a beginner in PHP), but would welcome any tips in this
> area (got a 300 page book here on the matter but haven't found time yet to
> dive into it). I can imagine you guys getting tired at times of beating the
> security drum; know that I am aware, and will do the best I can ;) In the
> meantime ... just keep breathing ;)
>
> Thanks for your input.
>
> Cheers,
> John
>
> "shimmyshack" <matt.fa...@gmail.com> wrote in message
>
> news:1175207250.550677.271870@r56g2000hsd.googlegr oups.com...
>
> > On 29 Mar, 22:59, Colin McKinnon
> > <colin.thisisnotmysurn...@ntlworld.deletemeunlessU RaBot.com> wrote:
> >> shimmyshack wrote:
> >> > On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
> >> > wrote:
> >> >> have used get_magic_quotes_gpc(); to turn it of,
>
> >> You can't turn off magic quotes - you can try setting it false but if has
> >> been set aynwhere, it stays set - this is a big part of why most people
> >> hate it.
>
> >> >> This is what i have
> >> >> THE FORM PART
> >> >> <input name='city' type='text' value='".$_POST['city']."' class='big'
> >> >> />
>
> >> <snip>
>
> >> So if $_POST['city'] contains Brig O' Doon (and magic quotes is off) then
> >> that line will read
> >> <input name='city' type='text' value='Brig O' Doon' class='big' />
> >> a safer bet would be:
>
> >> <input name='city' type='text' value='".htmlentites($_POST['city'])."'
> >> class='big' />
>
> >> As to what happens with magic quotes - I don't know. Try viewing the
> >> source
> >> code of your page and checking the traffic with tamperdata or
> >> ieHTTPHeaders.
>
> >> The regexp looks OK but a more elegant solution than disallowing certain
> >> characters is to accomodate them safely.
>
> >> You might want to look at the OWASP toolkit too.
>
> >> HTH
>
> >> C.
>
> > well done Colin, I didn't spot that, I looked but was fooled by the "
> > around the $_POST['city'] - that of course is it, simple as that.
> > [provided he does indeed get nothing only when the city is prepended
> > by an apostrophe] I couldn't be bothered to open with "be more secure"
> > because I hadn't seen the rest of his code. I wouldn't be at all
> > surprised if there's no filtering before the db, or any any of the
> > other fields. After a while you just get tired of beating the security
> > drum - it makes you look like a one trick pony!

the easiest way to persist data (so its there when the user goes back
to the form, or navigates to another similar form where they might be
asked to input a subset of the same info) is to use a session. Once
the validation has worked out you set a session variable.

you might even get the function to write the input for you, and use a
loop, anyway. Stop using single quotes (although valid markup) for
your inputs, and stop using double quotes - which make php work harder
than it has to (unless you are writing this kind of thing "hello, I
live in $city")
and things will work just fine.

The reason you have probably not hit the eureka moment is because your
single quotes are untouched by htmlentities, unless you read the
manual and include the last optional argument.

so cos I feel sorry that you have suffered so long with this, is a
simple script to show you how it fits together. The moral is though
read the manual for the functions people are telling you to use.

<?php

function returnSessionValue( $strSessionVarName )
{
return ( isset( $_SESSION[$strSessionVarName] ) &&
$_SESSION[$strSessionVarName] !=='' ) ?
htmlentities( $_SESSION[$strSessionVarName], ENT_QUOTES) : '';
}

//this goes before any output gets sent to browser (cos its a header)
session_start();

//set city to some annoying place - sorry inhabitants of said city
$_SESSION['city'] = "Q'uote'City";

//set the form to empty string to start
$htmlForm = '';

//the markup (using single quotes and double quotes in the reverse
order to you)
$htmlForm .= '<form method="post">';
$htmlForm .= '<input type="text" name="city" value="' .
returnSessionValue( 'city' ) . '" />';
$htmlForm .= '<input type="submit" value="submit"/>';
$htmlForm .= '</form>';

//output form to browser
echo $htmlForm;

//only display value of post if there is one, else some nothingy
string
echo '<hr>city: ', (( isset($_POST['city']) && $_POST['city']!='')?
htmlentities($_POST['city'],ENT_QUOTES):'form data not posted yet');

?>

Tnx shimmyshack; you're input is really appreciated.

John

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1175266318.223589.140600@l77g2000hsb.googlegr oups.com...
> On 30 Mar, 12:37, "Laiverd.COM" <share_your_knowle...@someserver.nl>
> wrote:
>> Thanks for the input guys. There's more fields to check, but didn't want
>> ot
>> bother you with all of them as the problem occurs in any field whenever a
>> single quote is part of the string. For now I merely have a problem
>> getting
>> data back into the field after validation as soon as a quote is part of
>> the
>> data.
>> I'm talking merely validation here and not (yet) about filtering before
>> entering the data into a db. I am aware of security issues here (as far
>> as I
>> can be, being only a beginner in PHP), but would welcome any tips in this
>> area (got a 300 page book here on the matter but haven't found time yet
>> to
>> dive into it). I can imagine you guys getting tired at times of beating
>> the
>> security drum; know that I am aware, and will do the best I can ;) In the
>> meantime ... just keep breathing ;)
>>
>> Thanks for your input.
>>
>> Cheers,
>> John
>>
>> "shimmyshack" <matt.fa...@gmail.com> wrote in message
>>
>> news:1175207250.550677.271870@r56g2000hsd.googlegr oups.com...
>>
>> > On 29 Mar, 22:59, Colin McKinnon
>> > <colin.thisisnotmysurn...@ntlworld.deletemeunlessU RaBot.com> wrote:
>> >> shimmyshack wrote:
>> >> > On 29 Mar, 20:48, "Laiverd.COM" <share_your_knowle...@someserver.nl>
>> >> > wrote:
>> >> >> have used get_magic_quotes_gpc(); to turn it of,
>>
>> >> You can't turn off magic quotes - you can try setting it false but if
>> >> has
>> >> been set aynwhere, it stays set - this is a big part of why most
>> >> people
>> >> hate it.
>>
>> >> >> This is what i have
>> >> >> THE FORM PART
>> >> >> <input name='city' type='text' value='".$_POST['city']."'
>> >> >> class='big'
>> >> >> />
>>
>> >> <snip>
>>
>> >> So if $_POST['city'] contains Brig O' Doon (and magic quotes is off)
>> >> then
>> >> that line will read
>> >> <input name='city' type='text' value='Brig O' Doon' class='big' />
>> >> a safer bet would be:
>>
>> >> <input name='city' type='text' value='".htmlentites($_POST['city'])."'
>> >> class='big' />
>>
>> >> As to what happens with magic quotes - I don't know. Try viewing the
>> >> source
>> >> code of your page and checking the traffic with tamperdata or
>> >> ieHTTPHeaders.
>>
>> >> The regexp looks OK but a more elegant solution than disallowing
>> >> certain
>> >> characters is to accomodate them safely.
>>
>> >> You might want to look at the OWASP toolkit too.
>>
>> >> HTH
>>
>> >> C.
>>
>> > well done Colin, I didn't spot that, I looked but was fooled by the "
>> > around the $_POST['city'] - that of course is it, simple as that.
>> > [provided he does indeed get nothing only when the city is prepended
>> > by an apostrophe] I couldn't be bothered to open with "be more secure"
>> > because I hadn't seen the rest of his code. I wouldn't be at all
>> > surprised if there's no filtering before the db, or any any of the
>> > other fields. After a while you just get tired of beating the security
>> > drum - it makes you look like a one trick pony!
>
> the easiest way to persist data (so its there when the user goes back
> to the form, or navigates to another similar form where they might be
> asked to input a subset of the same info) is to use a session. Once
> the validation has worked out you set a session variable.
>
> you might even get the function to write the input for you, and use a
> loop, anyway. Stop using single quotes (although valid markup) for
> your inputs, and stop using double quotes - which make php work harder
> than it has to (unless you are writing this kind of thing "hello, I
> live in $city")
> and things will work just fine.
>
> The reason you have probably not hit the eureka moment is because your
> single quotes are untouched by htmlentities, unless you read the
> manual and include the last optional argument.
>
> so cos I feel sorry that you have suffered so long with this, is a
> simple script to show you how it fits together. The moral is though
> read the manual for the functions people are telling you to use.
>
> <?php
>
> function returnSessionValue( $strSessionVarName )
> {
> return ( isset( $_SESSION[$strSessionVarName] ) &&
> $_SESSION[$strSessionVarName] !=='' ) ?
> htmlentities( $_SESSION[$strSessionVarName], ENT_QUOTES) : '';
> }
>
> //this goes before any output gets sent to browser (cos its a header)
> session_start();
>
> //set city to some annoying place - sorry inhabitants of said city
> $_SESSION['city'] = "Q'uote'City";
>
> //set the form to empty string to start
> $htmlForm = '';
>
> //the markup (using single quotes and double quotes in the reverse
> order to you)
> $htmlForm .= '<form method="post">';
> $htmlForm .= '<input type="text" name="city" value="' .
> returnSessionValue( 'city' ) . '" />';
> $htmlForm .= '<input type="submit" value="submit"/>';
> $htmlForm .= '</form>';
>
> //output form to browser
> echo $htmlForm;
>
> //only display value of post if there is one, else some nothingy
> string
> echo '<hr>city: ', (( isset($_POST['city']) && $_POST['city']!='')?
> htmlentities($_POST['city'],ENT_QUOTES):'form data not posted yet');
>
> ?>
>