[geeklog-devel] code scrubbing: stripslashes

Vincent Furia vfuria at gmail.com
Sun Sep 16 05:17:48 EDT 2007


Joe,

Just out of curiosity, have you done any timing comparisons to see if
this has an impact on performance (either for good or ill)?

-Vinny

On 9/15/07, Joe Mucchiello <joe at throwingdice.com> wrote:
> At 04:44 AM 8/13/2007, Michael Jervis wrote:
> >I think the /concept/ is right, doing an auto-and-correct stripslashes
> >on all HTTP globals on start of the page. Obviously as noted the
> >implementation is incorrect.
> >
> >Should be reasonably easy to clean up everything.
>
> Okay, here's what I've come up with and I did test it on my hosted
> website under GL1.4.1 with magic quotes on under
> Linux/Apache/MySQL/PHP4. I tested it with the polls plugin mostly as
> I knew that used arrays in POSTed forms.
>
> I placed this rcode ight after the 'have_pear" code in
> lib-common.php. Alternatively, it could be placed right after the timer start.
>
> if (get_magic_quotes_gpc() == 1) {
>      if (!function_exists('array_walk_recursive')) {
>          require_once 'PHP/Compat.php';
>          PHP_Compat::loadFunction('array_walk_recursive');
>      }
>      $_STRIP_SLASHES = create_function('&$v,$k', '$v = stripslashes($v);');
>      array_walk_recursive($_POST, $_STRIP_SLASHES);
>      array_walk_recursive($_GET, $_STRIP_SLASHES);
>      array_walk_recursive($_REQUEST, $_STRIP_SLASHES);
>      array_walk_recursive($_COOKIE, $_STRIP_SLASHES);
>      unset($_STRIP_SLASHES);
> }
>
> And of course you must do this:
>
> function COM_stripslashes($text)
> {
>      return $text;
> }
>
> And if you like, update COM_applyFilter() and COM_checkHTML() too so
> that at least lib-common is fixed.
>
> >Only problem is if someone badly upgrades their lib-common.php when
> >upgrading, they may have a gaping hole in their security...
>
> If this is a real concern, rather than unsetting the $_STRIP_SLASHES
> variable at the end of the if, check for it in lib-security or lib-session:
>
> if (get_magic_quotes_gpc() == 1 AND !isset($_STRIP_SLASHES)) {
>      die('You lib-common.php is not up to date.');
> }
>
> ----
> Joe Mucchiello
> Throwing Dice Games
> http://www.throwingdice.com
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://eight.pairlist.net/mailman/listinfo/geeklog-devel
>



More information about the geeklog-devel mailing list