|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2008-07-14 23:41 UTC] jani@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 06 11:00:01 2025 UTC |
Description: ------------ In the form enter a string with a quote anywhere. Clic several times the submit button. In the next code, it is supposed that the user will never excecute the addslashes() function inside the if statement. However, the value of the $_POST variable is changed and added slashes!!!! Reproduce code: --------------- <?php if( false ){ $sss= $_POST["nameP"]; $sss= addslashes( $sss ); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>nooh shit</title> </head> <body> <form id="form1" name="form1" method="post" action=""> Enter the string "any'string" and send:<input name="nameP" type="text" value="<?=$_POST["nameP"]?>" /> <input type="submit" name="enviar" id="enviar" value="Send" /> </form> </body> </html> Expected result: ---------------- The expected result is that the $_POST variable keep its value: original string: any'string several submits later: any'string Actual result: -------------- The actual result is something like this: original string: any'string several submits later: any\\\\\\\\\\'string