[geeklog-devel] code scrubbing: stripslashes

Aaron Blankstein kantai at gmail.com
Sat Aug 11 15:30:15 EDT 2007

Previous message: [geeklog-devel] code scrubbing: stripslashes
Next message: [geeklog-devel] code scrubbing: stripslashes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well first of all there would be a problem for any array variables. You need
to do a stripslashes_deep somewhat like the example at
http://us.php.net/manual/en/security.magicquotes.disabling.php (though the
example itself won't strip slashes from array keys.) Also, anytime the
function parse_str is used, it returns a magicquoted string. I don't know if
its ever used in GL code, but it would have to be another consideration.

Aaron

On 8/11/07, Oliver Spiesshofer <oliver at spiesshofer.com> wrote:

>

> I do not know if there are implications doing this code to lib_common as

> proposed... any body else has an opinion on that?

>

> Oliver

>

> Joe Mucchiello wrote:

> > I propose a change to lib_common.php. Before everything else:

> > -------------------

> > // since most installs leave magic quotes off, this is a no-op.

> > if (get_magic_quotes_gpc() == 1) {

> > $_POST = array_filter($_POST, 'stripslashes');

> > $_GET = array_filter($_GET, 'stripslashes');

> > $_COOKIE = array_filter($_COOKIE, 'stripslashes');

> > $_REQUEST = array_filter($_REQUEST, 'stripslashes');

> > }

> >

> > require_once( '/path/to/geeklog/config.php' );

> > -------------------

> >

> > This makes COM_stripslashes become:

> > -------------------

> > // DEPRECATED

> > function COM_stripslashes($str) { return $str; }

> > -------------------

> >

> > Reducing the number of calls to get_magic_quotes_gpc() from who know

> > how many to 1 should also be a slight speed boost.

> >

> > The hard part is removing all the calls directly to stripslashes().

> > The last time I brought this up, it seemed like such an impossible

> > thing to go through everything and fix. This way, it doesn't seem so

> > hard. There are 140 direct calls to stripslashes in CVS (as of about a

> > week ago). That shouldn't be hard to remove. If I write a patch will

> > someone apply it?

>

> _______________________________________________

> geeklog-devel mailing list

> geeklog-devel at lists.geeklog.net

> http://eight.pairlist.net/mailman/listinfo/geeklog-devel

>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://eight.pairlist.net/pipermail/geeklog-devel/attachments/20070811/4beb8b54/attachment.htm>

Previous message: [geeklog-devel] code scrubbing: stripslashes
Next message: [geeklog-devel] code scrubbing: stripslashes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the geeklog-devel mailing list