I am testing how secure is to use stripslashes()
I tried the following :
$str = chr(0xbf) . chr(0x27);
var_dump(stripslashes($str)); // string(2) " �' "
Then I changed it to this :
$str = $_POST['input']; // %bf%27;
var_dump(stripslashes($str)); // string(3) " �'' "
Then I used curl to send input data :
curl_setopt($ch, CURLOPT_POSTFIELDS, 'input=' . chr(0xbf) . chr(0x27));
but again result was : string(3) " �'' "
Is it possible to get result as in First example when data is received from another server? Will it be secure to use stripslashes() ?
You're asking two questions here:
stripslashes() is not really a secure way of handling input (that goes to a database, i assume). There are too many variables involved, like
Try the following file. It should serve as a basic test case for what you are investigating. I so far cannot reproduce the problem that you described.
test.php
<html>
<head></head>
<body>
<form method="POST" action="test.php">
<input type="text" name="input"></input>
<input type="submit" value="Submit"></input>
</form>
<?php
$string = chr(0xbf) . chr(0x27); // yields string '¿'' (length=2)
$input = $_POST['input'];
foreach (array($string, $input) as $s) {
var_dump(stripslashes($s));
var_dump($s);
}
?>
</html>
The results that you get strongly point to an encoding problem.