[geeklog-devel] code scrubbing: stripslashes

Joe Mucchiello joe at ThrowingDice.com
Sat Sep 15 14:32:08 EDT 2007


At 04:44 AM 8/13/2007, Michael Jervis wrote:
>I think the /concept/ is right, doing an auto-and-correct stripslashes
>on all HTTP globals on start of the page. Obviously as noted the
>implementation is incorrect.
>
>Should be reasonably easy to clean up everything.

Okay, here's what I've come up with and I did test it on my hosted 
website under GL1.4.1 with magic quotes on under 
Linux/Apache/MySQL/PHP4. I tested it with the polls plugin mostly as 
I knew that used arrays in POSTed forms.

I placed this rcode ight after the 'have_pear" code in 
lib-common.php. Alternatively, it could be placed right after the timer start.

if (get_magic_quotes_gpc() == 1) {
     if (!function_exists('array_walk_recursive')) {
         require_once 'PHP/Compat.php';
         PHP_Compat::loadFunction('array_walk_recursive');
     }
     $_STRIP_SLASHES = create_function('&$v,$k', '$v = stripslashes($v);');
     array_walk_recursive($_POST, $_STRIP_SLASHES);
     array_walk_recursive($_GET, $_STRIP_SLASHES);
     array_walk_recursive($_REQUEST, $_STRIP_SLASHES);
     array_walk_recursive($_COOKIE, $_STRIP_SLASHES);
     unset($_STRIP_SLASHES);
}

And of course you must do this:

function COM_stripslashes($text)
{
     return $text;
}

And if you like, update COM_applyFilter() and COM_checkHTML() too so 
that at least lib-common is fixed.

>Only problem is if someone badly upgrades their lib-common.php when
>upgrading, they may have a gaping hole in their security...

If this is a real concern, rather than unsetting the $_STRIP_SLASHES 
variable at the end of the if, check for it in lib-security or lib-session:

if (get_magic_quotes_gpc() == 1 AND !isset($_STRIP_SLASHES)) {
     die('You lib-common.php is not up to date.');
}

----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com 




More information about the geeklog-devel mailing list