PDA

View Full Version : No trim() on escapes, Newbie followup


le_mig
03-25-2011, 06:11 AM
Yes, I realize it takes time for posts to process.. and I REALLY didn't think I'd be back this fast, but I just don't have the time or patience left to come back after until my previous post clears and add this.. it is slightly different, too.

This has to do with _POST automatically extracting .. like it has a special register_globals turned on just for _POST. I raised my concern of this .. and it seems reality is far worse than I could imagine..

trim() does not work on any _REQUEST information .. well, it'll catch a space, but no escaped characters. (yes, I tried _GET)

Here's some examples in comparison. Again, $email was the result of an automatic $_POST extraction. It was not explicitly created by my script.

echo "===============Part 1 Results:";
$email2 = " \temail@gmail.com\n\r ";
var_dump($email, $_POST['email'], $email2);
echo "---1\n";

$test1 = trim($email);
$test2 = trim($_POST['email']);
$test3 = trim($email2);
var_dump($test1, $test2, $test3);
echo "---2\n";

$test4 = trim($email, " \r\t\n");
$test5 = trim($email2, " \r\t\n");
$email = 1;
$test2 = 2;
var_dump($test4, $test5, $email, $test2);
echo "---3\n";

===============Part 1 Results:
string(21) " \temail@gmail.com\n\r "
string(21) " \temail@gmail.com\n\r "
string(19) " email@gmail.com

"
---1
string(21) "\temail@gmail.com\n\r"
string(21) "\temail@gmail.com\n\r"
string(15) "email@gmail.com"
---2
string(21) "\temail@gmail.com\n\r"
string(15) "email@gmail.com"
int(1)
int(2)
---3

// .. and similar using binary, just in case you were wondering //
echo "===============Part 2 Results:";
$email2 = " \x00\temail@gmail.com\n\r ";
var_dump($email, $_POST['email'], $email2);
echo "---4\n";

$test6 = trim($email);
$test7 = trim($_POST['email']);
$test8 = trim($email2);
var_dump($test6, $test7, $test8);
echo "---5\n";

$test9 = trim($email, " \x00\r\t\n");
$test10 = trim($email2, " \x00\r\t\n");
var_dump($test9);
echo "---6\n";

===============Part 2 Results:
string(25) " \x00\temail@gmail.com\n\r "
string(25) " \x00\temail@gmail.com\n\r "
string(20) " email@gmail.com

"
---4
string(25) "\x00\temail@gmail.com\n\r"
string(25) "\x00\temail@gmail.com\n\r"
string(15) "email@gmail.com"
---5
string(25) "\x00\temail@gmail.com\n\r"
string(15) "email@gmail.com"
---6


This can't possibly be my fault!!! :confused: But I wonder if it's related to the database charset issues others are having?

domdorn
03-25-2011, 03:16 PM
hello le_mig,

thanks for taking the time to post these issues, however, please use the issue tracker to report issues.

also please attach _short_ unit-tests to the issues, you can take this as an example:
https://github.com/quercus/quercus-filter/blob/master/src/test/resources/qa/0003_functions_exist.qa

thanks for your help