Topic: Stubborn http://

I'm using a field 'linkUrl' and in the next page i'm inserting it into a mysql db, but it keeps misplacing the : so it becomes 'http//'


I've tried htmlenteties, htmlspecialchars, base64_encode before inserting it into the db but to no avail...

If i print it before the insert, it reads as 'http://' so some conversion is done when inserting into the db...

Comments, ideas...

Kinda stuck here...

Re: Stubborn http://

I'm not sure I'm following you. Does the colon (hehehe) just disappear?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Stubborn http://

can you write the query here?

do you have these around the things you put in?  ´  (or if it was these ` don't remember)

also, when everything else fails I usually test the \ before the things that dissapears wink  ... so try http\://  ... I don't think it will work, but hey, at least you've tried in that case wink

Re: Stubborn http://

I have

$linkCode = base64_encode(htmlentities($_POST['linkUrl']));
$SQL = "INSERT INTO " . TABLE_LINK_CONTENT . " (catID, linkName, linkURL, isVerified) VALUES ('" . $_POST['linkCatID'] . "', '" . $_POST['linkName'] . "', '" . $linkCode . "', '0')";
$Q = mysql_query($SQL);

in my last attempt.
I've tried with no base64-encoding, htmlspecialchars (or somthing) add/stripslashes etc, but it doesn't get stored in the db, all i get is 'http//'.

If i print($_POST['linkUrl'])
it shows http:// so it's something with the insert that's wierd.

phpinfo of the server is here http://www.nonet.org/phpinfo.php
And i'm using a remote mysql some pretty recent version @ fsdata.se

I haven't tried the code on the live webserver @ fs because i'm re-doing the design and haven't got it finished enough to be placed public.

Re: Stubborn http://

Hmm. Odd.

You should check if magic quotes is enabled, and if it isn't, you should run addslashes() on the strings from POST before inserting them. Have a look at the function escape() in PunBB. It shouldn't affect the colon though.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Stubborn http://

phpmyadmin uses some other character than the ' on the fields ... I think it's either ´ or ` ... (think the later) .... perhaps replace the ' with those?

Re: Stubborn http://

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

that is default for this installation (via pkgsrc in netbsd 1.6)

i still think it's odd that when i print it, it is ok, but when i base64_encode it it looses the : when inserting into db.

Another Q, what happens if i put the file on a server with magic_quotes on, and i have addslashes in my insert, will it make it a double-slash before inserting?
And if that is the case, can i check if magic_cuotes is on and depending on that use addslashes or will something like this work:
$url = addslashed(stripslashes($URL));
Will that remove slashes if present, and then add just one?

Re: Stubborn http://

Yes, if magic_quotes_gpc is enabled, which it is on some systems, PHP will automatically run addslashes() on the strings you fetch from $_GET, $_POST etc.. So, you have to check if magic_quotes_gpc is enabled, and if it isn't, you run addslashes(). That's why I recommended that you look at the function escape() i include/common.php.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Stubborn http://

Should i escape everything i insert, and un_escape everything that i get from db?

Is there anything else i can do to make submissions more secure when userinput goes into db?

Re: Stubborn http://

You should escape everything that might contain single quote ('), double quote ("), backslash (\) or NUL (the NULL byte). In PunBB, I escape most of the stuff that goes into the database. An example of something I don't escape is the ICQ UIN. I validate that variable with a regex to make sure it only contains numbers and when I know that, there is no need to escape.

The cardinal rule is to never trust anything that is user submitted. Validate everything as much as possible.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Stubborn http://

If i've got everything in order

$linkCode = (substr($_POST['linkUrl'], 7) == "http://" || substr($_POST['linkUrl'], 8) == "https://") ? escape($_POST['linkUrl']) : escape("http://" . $_POST['linkUrl']);

Should take any kind of link, verify that there is a http:// or https:// and if there is not, add a http:// then escape it into the db...

More testing tomorrow after work.

Oh, btw, i kinda haxxored your escape/un_escape into my script, with a note smile

Re: Stubborn http://

GAH!

Ok, last shred of hair is now pulled from my head...
It just refuse to work if i add 'http://' or 'https://' in the link, i just get the standard 'http//' but if i leave the http:// out from the link when i submit it, the avbove code adds it fine and escapes it as it should into the db.