<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><BR><DIV><DIV>On Oct 26, 2006, at 5:23 PM, The Editor wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Hi List,</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I am about ready to pull my hair out.<SPAN class="Apple-converted-space"> </SPAN>This bug has got to be staring</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">me in the face.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">When the post is submitted, the very first thing ZAP does after</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">authenticating the form and setting a few variables, is clean the post</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">from potentially harmful stuff.<SPAN class="Apple-converted-space"> </SPAN>I use these lines:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>foreach ($_POST as $field => $value) {</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>if (get_magic_quotes_gpc()) $_POST[$field] = stripslashes($value);</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>$_POST[$field] = preg_replace('/\\(:/', '(&#x3a;', $value);</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>$_POST[$field] = preg_replace('/\\{(\\w+)\\}/e', "\$_POST[$1]", $value);</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>if (is_array($value)) $_POST[$field] = implode(",", $value);</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>}</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Oh no!</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>you're changing $_POST[$field] several times and OVERWRITING it with something completely new. This isn't a chain of events happening to $value. This is "Place A in the bucket. Dump the bucket out and place B in the bucket. Dump the bucket out and place C in the bucket."</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>You see, when you read $value from $_POST $value becomes it's own copy. Changing $_POST[$field] = "X"; will not change $value to "X". $value stays the same through the whole chain, because you're not explicitly changing $value.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Try this:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN>foreach ($_POST as $field => $value) {</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN>if (get_magic_quotes_gpc()) $value = stripslashes($value);</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN>$value = preg_replace('/\\(:/', '(&#x3a;', $value);</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN>$value = preg_replace('/\\{(\\w+)\\}/e', "\$_POST[$1]", $value);</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN>if (is_array($value)) $value = implode(",", $value);</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN>$_POST[$field] = $value;</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ; color: rgb(0, 0, 221); "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>}</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>}</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I'm not exactly sure what line </DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre; color: rgb(0, 0, 221); "> </SPAN>$value = preg_replace('/\\{(\\w+)\\}/e', "\$_POST[$1]", $value);</DIV><DIV>is doing with the "\$_POST[$1]" value -- you may want to change that too? It's too early for me to really parse the code, sorry. But it's one line I think you said worked....</DIV><DIV><BR class="khtml-block-placeholder"></DIV><BLOCKQUOTE type="cite"></BLOCKQUOTE></DIV><BR><DIV>Crisses</DIV></BODY></HTML>