[geeklog-devel] code scrubbing: stripslashes

[Joe Mucchiello]

At 04:44 AM 8/13/2007, Michael Jervis wrote:

>I think the /concept/ is right, doing an auto-and-correct stripslashes

>on all HTTP globals on start of the page. Obviously as noted the

>implementation is incorrect.

>

>Should be reasonably easy to clean up everything.


Okay, here's what I've come up with and I did test it on my hosted 
website under GL1.4.1 with magic quotes on under 
Linux/Apache/MySQL/PHP4. I tested it with the polls plugin mostly as 
I knew that used arrays in POSTed forms.

I placed this rcode ight after the 'have_pear" code in 
lib-common.php. Alternatively, it could be placed right after the timer start.

if (get_magic_quotes_gpc() == 1) {
     if (!function_exists('array_walk_recursive')) {
         require_once 'PHP/Compat.php';
         PHP_Compat::loadFunction('array_walk_recursive');
     }
     $_STRIP_SLASHES = create_function('&$v,$k', '$v = stripslashes($v);');
     array_walk_recursive($_POST, $_STRIP_SLASHES);
     array_walk_recursive($_GET, $_STRIP_SLASHES);
     array_walk_recursive($_REQUEST, $_STRIP_SLASHES);
     array_walk_recursive($_COOKIE, $_STRIP_SLASHES);
     unset($_STRIP_SLASHES);
}

And of course you must do this:

function COM_stripslashes($text)
{
     return $text;
}

And if you like, update COM_applyFilter() and COM_checkHTML() too so 
that at least lib-common is fixed.


>Only problem is if someone badly upgrades their lib-common.php when

>upgrading, they may have a gaping hole in their security...


If this is a real concern, rather than unsetting the $_STRIP_SLASHES 
variable at the end of the if, check for it in lib-security or lib-session:

if (get_magic_quotes_gpc() == 1 AND !isset($_STRIP_SLASHES)) {
     die('You lib-common.php is not up to date.');
}

----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com