[geeklog-devel] code scrubbing: stripslashes

Joe Mucchiello joe at ThrowingDice.com
Sat Aug 11 14:56:55 EDT 2007 

[preamble]The list was quiet when I started writing this. But I don't 
want to put it off so....[/preamble]

Well, I'm actively programming Geeklog again and so a bunch of my 
issues have risen again. Code cleanup returns. This is just one of 
several emails I'll send on this. I want to start with my favorite 
whipping boy: stripslashes.

I propose a change to lib_common.php. Before everything else:
-------------------
// since most installs leave magic quotes off, this is a no-op.
if (get_magic_quotes_gpc() == 1) {
     $_POST = array_filter($_POST, 'stripslashes');
     $_GET = array_filter($_GET, 'stripslashes');
     $_COOKIE = array_filter($_COOKIE, 'stripslashes');
     $_REQUEST = array_filter($_REQUEST, 'stripslashes');
}

require_once( '/path/to/geeklog/config.php' );
-------------------

This makes COM_stripslashes become:
-------------------
// DEPRECATED
function COM_stripslashes($str) { return $str; }
-------------------

Reducing the number of calls to get_magic_quotes_gpc() from who know 
how many to 1 should also be a slight speed boost.

The hard part is removing all the calls directly to stripslashes(). 
The last time I brought this up, it seemed like such an impossible 
thing to go through everything and fix. This way, it doesn't seem so 
hard. There are 140 direct calls to stripslashes in CVS (as of about 
a week ago). That shouldn't be hard to remove. If I write a patch 
will someone apply it?

-------------------
On the geeklog Wiki it gives this advice about stripslashes: 
http://wiki.geeklog.net/wiki/index.php/StripSlashes

  1. When your code is to deal with a value from $_GET, $_POST or 
$_COOKIE immediately load it into an internal variable after calling 
COM_stripSlashes, this will deal correctly with the value whether or 
not Magic Quotes GPC is on or off.
  2. Immediately before using a value in SQL, addslashes to it.
  3. Immediately after loading a value from SQL, stripslashes on it.

#3 will result in missing characters eventually. The addslashes in #2 
gets the text into the database. No extra slashes are actually added 
to the text in the database. So when you fetch the data, it is 
already equal to what was sent to the database and by calling 
stripslashes you modify the original text unintentionally. Of course 
with the above changes most of the WIKI article should be removed and 
replaced with "DON'T CALL STRIPSLASHES."

----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com

More information about the geeklog-devel mailing list