|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
twh3375 Smarty n00b
Joined: 22 Sep 2006 Posts: 2
|
Posted: Fri Sep 22, 2006 1:00 am Post subject: Using stripslashes so as not to display them to the user |
|
|
As you know, a backslash is used to delimit a quote in a variable so as not to cause confusion when passing it around. For example,
Code: | $last_name = 'O\'Neil'; |
If last name was passed-in from a GPC (Get/Post/Cookie) operation, and magic_quotes_gpc is turned on (it usually is), then the backslash would have been added automatically. The problem is then, when you assign it to a smarty variable name, the backslash comes along for the ride:
Code: | $smarty->assign('LNAME', $last_name); |
The resulting {$LNAME} displayed to the user will be 'O/'Neil', which we don't want. We just want O'Neil.
There are two solutions, one is to use PHP's stripslashes() in PHP:
Code: | $smarty->assign('LNAME', stripslashes($last_name)); |
Another is to use PHP's stripslashes directly in the smarty output:
Code: | {$LNAME|stripslashes} |
Both of these techniques might require modifying a lot of code. However, the first option can be put into it's own function so that you don't have to remember to stripslashes every time you do an assign.
Code: | function ssassign($varname, $var)
{
global $smarty;
$smarty->assign($varname, stripslashes($var));
} |
To expand on this, you should probably take care of situations where $var is an array:
Code: | function ssassign($varname, $var)
{
global $smarty;
$smarty->assign($varname, stripslashes_deep($var));
}
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
} |
Anyways, this seems to work well for me. What does everyone else think? |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Fri Sep 22, 2006 2:06 am Post subject: |
|
|
Better to turn off magic_quotes_gpc altogether (and any of its friends). It is a very questionable option to have enabled and in fact, is scheduled to be removed entirely from PHP6 just because it is such a PITA.
http://php.net/magic_quotes
Another thing; for portability, you should check if magic_quotes_gpc is enabed before using stripslashes. See the comments in the magic_quotes page I linked for other solutions. |
|
Back to top |
|
twh3375 Smarty n00b
Joined: 22 Sep 2006 Posts: 2
|
Posted: Sat Sep 23, 2006 2:44 am Post subject: |
|
|
Well, for those who can't turn the magic quotes off, I think the original post holds water.
I actually don't mind the magic quotes. It keeps me from having to explicitly addslashes to posted text.
In fact, when posting via my ajax library, string variables are passed from javascript directly into PHP. When those values have quote(s) in them, I experience problems. What do I do? Addslashes on entry. I think anything coming in should have slashes added, and any time you display it you should remove them. |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Sat Sep 23, 2006 8:12 am Post subject: |
|
|
The problem I have with magic quotes and the like is that they simply aren't needed. I think it is more appropriate to be able to access the raw submitted data rather than something that has been massaged before my application can deal with it. In my view, the general dictum regarding IO is: filter input, escape output.
Surely you are correct that one eventually does have to account for data format issues--and it becomes pressing when you don't have control of your environment and so you don't have the option of turning off magic quotes. That said, if you choose to handle it as described above, I think it is worth the while to at least consider portablility -- if magic_quote_gpc (and friends) are not enabled (use ini_get() to discover), you don't want or need to apply stripslashes() to input data.
Another thing to mention is that not all data that is assigned to Smarty originates from user supplied input (in some cases, none at all). IMHO, that implies that applying such a technique at the Smarty layer is likely not the most appropriate place to address the issue. Rather, sanitize all input independantly within your application before it ever gets to the point that you need to assign it to Smarty.
Sorry, I don't mean to denegrate your ideas -- these are really just my 2c take on this matter. Indeedm please accept my thanks to you for taking the time to provide your solutions, insights and discussion here, regardless of whether we see eye-to-eye on this particular issue. After all, as I have often noted, my needs are not likely the same as the needs that others may have;)
Best Regards! |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|