[geeklog-devel] code scrubbing: stripslashes
Joe Mucchiello
joe at ThrowingDice.com
Sat Aug 11 14:56:55 EDT 2007
[preamble]The list was quiet when I started writing this. But I don't
want to put it off so....[/preamble]
Well, I'm actively programming Geeklog again and so a bunch of my
issues have risen again. Code cleanup returns. This is just one of
several emails I'll send on this. I want to start with my favorite
whipping boy: stripslashes.
I propose a change to lib_common.php. Before everything else:
-------------------
// since most installs leave magic quotes off, this is a no-op.
if (get_magic_quotes_gpc() == 1) {
$_POST = array_filter($_POST, 'stripslashes');
$_GET = array_filter($_GET, 'stripslashes');
$_COOKIE = array_filter($_COOKIE, 'stripslashes');
$_REQUEST = array_filter($_REQUEST, 'stripslashes');
}
require_once( '/path/to/geeklog/config.php' );
-------------------
This makes COM_stripslashes become:
-------------------
// DEPRECATED
function COM_stripslashes($str) { return $str; }
-------------------
Reducing the number of calls to get_magic_quotes_gpc() from who know
how many to 1 should also be a slight speed boost.
The hard part is removing all the calls directly to stripslashes().
The last time I brought this up, it seemed like such an impossible
thing to go through everything and fix. This way, it doesn't seem so
hard. There are 140 direct calls to stripslashes in CVS (as of about
a week ago). That shouldn't be hard to remove. If I write a patch
will someone apply it?
-------------------
On the geeklog Wiki it gives this advice about stripslashes:
http://wiki.geeklog.net/wiki/index.php/StripSlashes
1. When your code is to deal with a value from $_GET, $_POST or
$_COOKIE immediately load it into an internal variable after calling
COM_stripSlashes, this will deal correctly with the value whether or
not Magic Quotes GPC is on or off.
2. Immediately before using a value in SQL, addslashes to it.
3. Immediately after loading a value from SQL, stripslashes on it.
#3 will result in missing characters eventually. The addslashes in #2
gets the text into the database. No extra slashes are actually added
to the text in the database. So when you fetch the data, it is
already equal to what was sent to the database and by calling
stripslashes you modify the original text unintentionally. Of course
with the above changes most of the WIKI article should be removed and
replaced with "DON'T CALL STRIPSLASHES."
----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com
More information about the geeklog-devel
mailing list