Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

Using stripslashes so as not to display them to the user

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Tips and Tricks
View previous topic :: View next topic  
Author Message
twh3375
Smarty n00b


Joined: 22 Sep 2006
Posts: 2

PostPosted: Fri Sep 22, 2006 1:00 am    Post subject: Using stripslashes so as not to display them to the user Reply with quote

As you know, a backslash is used to delimit a quote in a variable so as not to cause confusion when passing it around. For example,

Code:
$last_name = 'O\'Neil';


If last name was passed-in from a GPC (Get/Post/Cookie) operation, and magic_quotes_gpc is turned on (it usually is), then the backslash would have been added automatically. The problem is then, when you assign it to a smarty variable name, the backslash comes along for the ride:

Code:
$smarty->assign('LNAME', $last_name);


The resulting {$LNAME} displayed to the user will be 'O/'Neil', which we don't want. We just want O'Neil.

There are two solutions, one is to use PHP's stripslashes() in PHP:

Code:
$smarty->assign('LNAME', stripslashes($last_name));


Another is to use PHP's stripslashes directly in the smarty output:

Code:
{$LNAME|stripslashes}


Both of these techniques might require modifying a lot of code. However, the first option can be put into it's own function so that you don't have to remember to stripslashes every time you do an assign.

Code:
function ssassign($varname, $var)
{
   global $smarty;
   $smarty->assign($varname, stripslashes($var));
}


To expand on this, you should probably take care of situations where $var is an array:

Code:
function ssassign($varname, $var)
{
   global $smarty;
   $smarty->assign($varname, stripslashes_deep($var));
}

function stripslashes_deep($value)
{
   $value = is_array($value) ?
               array_map('stripslashes_deep', $value) :
               stripslashes($value);

   return $value;
}


Anyways, this seems to work well for me. What does everyone else think?
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Fri Sep 22, 2006 2:06 am    Post subject: Reply with quote

Better to turn off magic_quotes_gpc altogether (and any of its friends). It is a very questionable option to have enabled and in fact, is scheduled to be removed entirely from PHP6 just because it is such a PITA.

http://php.net/magic_quotes

Another thing; for portability, you should check if magic_quotes_gpc is enabed before using stripslashes. See the comments in the magic_quotes page I linked for other solutions.
Back to top
View user's profile Send private message
twh3375
Smarty n00b


Joined: 22 Sep 2006
Posts: 2

PostPosted: Sat Sep 23, 2006 2:44 am    Post subject: Reply with quote

Well, for those who can't turn the magic quotes off, I think the original post holds water.

I actually don't mind the magic quotes. It keeps me from having to explicitly addslashes to posted text.

In fact, when posting via my ajax library, string variables are passed from javascript directly into PHP. When those values have quote(s) in them, I experience problems. What do I do? Addslashes on entry. I think anything coming in should have slashes added, and any time you display it you should remove them.
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Sat Sep 23, 2006 8:12 am    Post subject: Reply with quote

The problem I have with magic quotes and the like is that they simply aren't needed. I think it is more appropriate to be able to access the raw submitted data rather than something that has been massaged before my application can deal with it. In my view, the general dictum regarding IO is: filter input, escape output.

Surely you are correct that one eventually does have to account for data format issues--and it becomes pressing when you don't have control of your environment and so you don't have the option of turning off magic quotes. That said, if you choose to handle it as described above, I think it is worth the while to at least consider portablility -- if magic_quote_gpc (and friends) are not enabled (use ini_get() to discover), you don't want or need to apply stripslashes() to input data.

Another thing to mention is that not all data that is assigned to Smarty originates from user supplied input (in some cases, none at all). IMHO, that implies that applying such a technique at the Smarty layer is likely not the most appropriate place to address the issue. Rather, sanitize all input independantly within your application before it ever gets to the point that you need to assign it to Smarty.

Sorry, I don't mean to denegrate your ideas -- these are really just my 2c take on this matter. Indeedm please accept my thanks to you for taking the time to provide your solutions, insights and discussion here, regardless of whether we see eye-to-eye on this particular issue. After all, as I have often noted, my needs are not likely the same as the needs that others may have;)

Best Regards!
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Tips and Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP