[geeklog-devel] code scrubbing: stripslashes
Joe Mucchiello
joe at ThrowingDice.com
Sat Sep 15 14:32:08 EDT 2007
At 04:44 AM 8/13/2007, Michael Jervis wrote:
>I think the /concept/ is right, doing an auto-and-correct stripslashes
>on all HTTP globals on start of the page. Obviously as noted the
>implementation is incorrect.
>
>Should be reasonably easy to clean up everything.
Okay, here's what I've come up with and I did test it on my hosted
website under GL1.4.1 with magic quotes on under
Linux/Apache/MySQL/PHP4. I tested it with the polls plugin mostly as
I knew that used arrays in POSTed forms.
I placed this rcode ight after the 'have_pear" code in
lib-common.php. Alternatively, it could be placed right after the timer start.
if (get_magic_quotes_gpc() == 1) {
if (!function_exists('array_walk_recursive')) {
require_once 'PHP/Compat.php';
PHP_Compat::loadFunction('array_walk_recursive');
}
$_STRIP_SLASHES = create_function('&$v,$k', '$v = stripslashes($v);');
array_walk_recursive($_POST, $_STRIP_SLASHES);
array_walk_recursive($_GET, $_STRIP_SLASHES);
array_walk_recursive($_REQUEST, $_STRIP_SLASHES);
array_walk_recursive($_COOKIE, $_STRIP_SLASHES);
unset($_STRIP_SLASHES);
}
And of course you must do this:
function COM_stripslashes($text)
{
return $text;
}
And if you like, update COM_applyFilter() and COM_checkHTML() too so
that at least lib-common is fixed.
>Only problem is if someone badly upgrades their lib-common.php when
>upgrading, they may have a gaping hole in their security...
If this is a real concern, rather than unsetting the $_STRIP_SLASHES
variable at the end of the if, check for it in lib-security or lib-session:
if (get_magic_quotes_gpc() == 1 AND !isset($_STRIP_SLASHES)) {
die('You lib-common.php is not up to date.');
}
----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com
More information about the geeklog-devel
mailing list