[geeklog-devel] code scrubbing: stripslashes

Aaron Blankstein kantai at gmail.com
Sat Aug 11 15:30:15 EDT 2007


Well first of all there would be a problem for any array variables. You need
to do a stripslashes_deep somewhat like the example at
http://us.php.net/manual/en/security.magicquotes.disabling.php (though the
example itself won't strip slashes from array keys.) Also, anytime the
function parse_str is used, it returns a magicquoted string. I don't know if
its ever used in GL code, but it would have to be another consideration.

Aaron

On 8/11/07, Oliver Spiesshofer <oliver at spiesshofer.com> wrote:
>
> I do not know if there are implications doing this code to lib_common as
> proposed... any body else has an opinion on that?
>
> Oliver
>
> Joe Mucchiello wrote:
> > I propose a change to lib_common.php. Before everything else:
> > -------------------
> > // since most installs leave magic quotes off, this is a no-op.
> > if (get_magic_quotes_gpc() == 1) {
> >     $_POST = array_filter($_POST, 'stripslashes');
> >     $_GET = array_filter($_GET, 'stripslashes');
> >     $_COOKIE = array_filter($_COOKIE, 'stripslashes');
> >     $_REQUEST = array_filter($_REQUEST, 'stripslashes');
> > }
> >
> > require_once( '/path/to/geeklog/config.php' );
> > -------------------
> >
> > This makes COM_stripslashes become:
> > -------------------
> > // DEPRECATED
> > function COM_stripslashes($str) { return $str; }
> > -------------------
> >
> > Reducing the number of calls to get_magic_quotes_gpc() from who know
> > how many to 1 should also be a slight speed boost.
> >
> > The hard part is removing all the calls directly to stripslashes().
> > The last time I brought this up, it seemed like such an impossible
> > thing to go through everything and fix. This way, it doesn't seem so
> > hard. There are 140 direct calls to stripslashes in CVS (as of about a
> > week ago). That shouldn't be hard to remove. If I write a patch will
> > someone apply it?
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://eight.pairlist.net/mailman/listinfo/geeklog-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20070811/4beb8b54/attachment.html>


More information about the geeklog-devel mailing list