|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2008-07-14 23:41 UTC] jani@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sun May 05 15:01:33 2024 UTC |
Description: ------------ In the form enter a string with a quote anywhere. Clic several times the submit button. In the next code, it is supposed that the user will never excecute the addslashes() function inside the if statement. However, the value of the $_POST variable is changed and added slashes!!!! Reproduce code: --------------- <?php if( false ){ $sss= $_POST["nameP"]; $sss= addslashes( $sss ); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>nooh shit</title> </head> <body> <form id="form1" name="form1" method="post" action=""> Enter the string "any'string" and send:<input name="nameP" type="text" value="<?=$_POST["nameP"]?>" /> <input type="submit" name="enviar" id="enviar" value="Send" /> </form> </body> </html> Expected result: ---------------- The expected result is that the $_POST variable keep its value: original string: any'string several submits later: any'string Actual result: -------------- The actual result is something like this: original string: any'string several submits later: any\\\\\\\\\\'string