|
Posted by Curtis on November 8, 2008, 1:54 am
Please log in for more thread options
On Fri, 07 Nov 2008 16:06:58 GMT, nobody@devnull.spamcop.net wrote:
show/hide quoted text
> Curtis said:
>
> > On Fri, 07 Nov 2008 02:47:52 GMT, nobody@devnull.spamcop.net wrote:
> >> XP Pro SP3 and PHP 5.2.5
> >> Probably a silly question, and admittedly rather minor, but ... I
> >> seem to be getting inconsistant sandbox results. Usually, it's
> >> common to modify a var by referencing it to itself; e.g. 'n=n+1' ,
> >> '$var=$var && "this" ', etc.
> >> ==============
> >> Is it legal to use the following PHP line ($string is the operative
> >> object here)?
> >> $string = filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) for
> >> instance?
> >> or must I use something like:
> >> $stringA = filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) ?
> >> and then work with $stringA thereafter?
> >> ==============
> > Both are valid assignments, although your posted statements lack a
> > semi-colon. I'll assume that isn't the problem. :P
>
> Thanks, that's the clarification I was looking for. No, it's not the
> semi-colons; I wish it was! Looks like I overtyped them with the
> question marks etc. here. Dunno why I did that.
>
> >> It seems to work OK and then at the odd times it doesn't.
> > What does that mean? Can you explain exactly how it doesn't work?
>
> It passes the variable unsanitized. A <script> say will come
> thru unchanged or a special character will not be stripped, things like
> that. It's not returning False, it's just not doing the filtering
> intermittantly and not very often for the same data, which is now
> prefilled into the form to speed thngs u p.
>
> Based on your clarification above, about all that's left is file
> corruption of some sort but darned if I know why it's so intermittant.
> I think when I get more time (and coffee in me) I'll rewrite that whole
> section from scratch, a validate & sanitize at a time and see what
> happens. If it's still a problem then I'll upload it to my remote
> server and see what happens there. I've been afraid to do that in case
> it hides the problem, but at least I'll have come concrete data to work
> with if it comes back.
[snip]
So you're using filter_var() for form data in your actual script? If
so, you ought to be using filter_input(). Actually, I'm not sure of
any benefit using filter_var() with FILTER_SANITIZE_SPECIAL_CHARS
over htmlspecialchars() (maybe the options); this is just a guess,
though.
This still doesn't explain your problem, and I have yet to reproduce
the behavior (PHP 5.2.6, Win32, Apache 2 module). Have you searched
the PHP bug tracker?
Here's a php.net example using filter_input:
show/hide quoted text
> <?php
> $search_html = filter_input(INPUT_GET, 'search',
FILTER_SANITIZE_SPECIAL_CHARS);
show/hide quoted text
> $search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
> echo "You have searched for $search_html.\n";
> echo "<a href='?search=$search_url'>Search again.</a>";
--
Curtis
$email = str_replace('sig.invalid', 'gmail.com', $from);
| 
XML Sitemap
>
> > On Fri, 07 Nov 2008 02:47:52 GMT, nobody@devnull.spamcop.net wrote:
> >> XP Pro SP3 and PHP 5.2.5
> >> Probably a silly question, and admittedly rather minor, but ... I
> >> seem to be getting inconsistant sandbox results. Usually, it's
> >> common to modify a var by referencing it to itself; e.g. 'n=n+1' ,
> >> '$var=$var && "this" ', etc.
> >> ==============
> >> Is it legal to use the following PHP line ($string is the operative
> >> object here)?
> >> $string = filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) for
> >> instance?
> >> or must I use something like:
> >> $stringA = filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) ?
> >> and then work with $stringA thereafter?
> >> ==============
> > Both are valid assignments, although your posted statements lack a
> > semi-colon. I'll assume that isn't the problem. :P
>
> Thanks, that's the clarification I was looking for. No, it's not the
> semi-colons; I wish it was! Looks like I overtyped them with the
> question marks etc. here. Dunno why I did that.
>
> >> It seems to work OK and then at the odd times it doesn't.
> > What does that mean? Can you explain exactly how it doesn't work?
>
> It passes the variable unsanitized. A <script> say will come
> thru unchanged or a special character will not be stripped, things like
> that. It's not returning False, it's just not doing the filtering
> intermittantly and not very often for the same data, which is now
> prefilled into the form to speed thngs u p.
>
> Based on your clarification above, about all that's left is file
> corruption of some sort but darned if I know why it's so intermittant.
> I think when I get more time (and coffee in me) I'll rewrite that whole
> section from scratch, a validate & sanitize at a time and see what
> happens. If it's still a problem then I'll upload it to my remote
> server and see what happens there. I've been afraid to do that in case
> it hides the problem, but at least I'll have come concrete data to work
> with if it comes back.