Not able to remove backslash from below code?

Question

below is my code the issue is that when i enter any username with apostrophe (') Additional character "\ backslash" is being displayed when Search results are returned.

Below is my code i find that a function addslashes is used in the checkusername function so backslash is getting added.

if ( 0 < count( $my_field_place ))
    {
        for ( $i = 0; $i < count( $my_field_place ); $i++ )
        {
            if ( true === isset( $Fields[$i] ))
            {
                print "gMapping[$i] = new MappingItem( '" .
                        addslashes( $Fields[$i] ) .
                        "', '" .
                        checkusername( $my_field_place[$i] ) .
                        "' );";
            }
        }
    }


function checkusername($inStr)
{
  $orig = array();
  $new  = array();

  $orig[00] = "/\n/`"          ;  $new[00] = "\\?n";
  $orig[01] = "/[^\x-*()]/";  $new[01] = "";

  $var1 = preg_replace($orig, $new, $inStr);
  $var2 = addslashes($var1 );     // i am not sure why addslashes is used but i am asked not to remove because of security reasion?                        

  return $var2;
}

Note: I google and find that it used for security reason Since in my case we are only displaying the searched result. So i am not sure why this function is used here. My fix is to add stripslashes() function before returning which will removes backslashes added by the addslashes() function. Please find the code snippet and the comment for code change below:

function checkusername($inStr)
{
  $orig = array();
  $new  = array();

  $orig[00] = "/\n/`"          ;  $new[00] = "\\?n";
  $orig[01] = "/[^\x-*()]/";  $new[01] = "";

  $var1 = preg_replace($orig, $new, $inStr);
  $var2 = addslashes($var1);                           

  return stripslashes($var2); // i am not sure stripslashes is correct fix or not?
}

Please help is it fine to added stripslashes or is there any other way to handle it ?

I am not quite 100% sure but I'm pretty confident that if `addslashes` is used for a security reason, then whoever is coding that is doing it wrong. Addslashes was used in this context possibly ten years ago. A lot has changed since then, not least the use of Prepared Statements for SQL Db inserts/reads. — Martin, Jul 11 '16 at 07:57
I'm not really sure what this suppose to do. You add slashes `$var2 = addslashes($t1);` just to remove them in the line after? You also do a `preg_replace()` and store it in `$var1`, which isn't even used after. Is this to prevent [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting)? — M. Eriksson, Jul 11 '16 at 07:59
@MagnusEriksson my mistake $var2 = addslashes($t1) here instead of t1 var1 should be there .same i have update again please check. — leuage, Jul 12 '16 at 04:49
@Martin Any suggestion or help should i remove $var2 = addslashes($var1); and directly return $var1 instead from checkusername, Wil it cause any security issues ? — leuage, Jul 12 '16 at 10:14
@ricklo "security" is such a wide topic, that question is pretty meaningless. But your actions on the code are pretty futile as you add slashes only then to immediately remove those same slashes. If you need to cleanse some code I recommend using regex-type cleaning patterns such as `preg_replace` . — Martin, Jul 12 '16 at 12:27

score 0 · Accepted Answer · answered Jul 13 '16 at 07:40

You can restrict user from those special characeter though in gmail ,yahoo,fb etc they will never allow this character.since t allows multiple words to be represented in a somewhat readable manner below are some doc https://support.google.com/a/answer/33386?hl=en see second guidelines

Not able to remove backslash from below code?

1 Answers1