[geeklog-devel] code scrubbing: stripslashes

Vincent Furia vfuria at gmail.com
Sun Sep 16 05:17:48 EDT 2007

Previous message: [geeklog-devel] code scrubbing: stripslashes
Next message: [geeklog-devel] code scrubbing: stripslashes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Joe,

Just out of curiosity, have you done any timing comparisons to see if
this has an impact on performance (either for good or ill)?

-Vinny

On 9/15/07, Joe Mucchiello <joe at throwingdice.com> wrote:

> At 04:44 AM 8/13/2007, Michael Jervis wrote:

> >I think the /concept/ is right, doing an auto-and-correct stripslashes

> >on all HTTP globals on start of the page. Obviously as noted the

> >implementation is incorrect.

> >

> >Should be reasonably easy to clean up everything.

>

> Okay, here's what I've come up with and I did test it on my hosted

> website under GL1.4.1 with magic quotes on under

> Linux/Apache/MySQL/PHP4. I tested it with the polls plugin mostly as

> I knew that used arrays in POSTed forms.

>

> I placed this rcode ight after the 'have_pear" code in

> lib-common.php. Alternatively, it could be placed right after the timer start.

>

> if (get_magic_quotes_gpc() == 1) {

> if (!function_exists('array_walk_recursive')) {

> require_once 'PHP/Compat.php';

> PHP_Compat::loadFunction('array_walk_recursive');

> }

> $_STRIP_SLASHES = create_function('&$v,$k', '$v = stripslashes($v);');

> array_walk_recursive($_POST, $_STRIP_SLASHES);

> array_walk_recursive($_GET, $_STRIP_SLASHES);

> array_walk_recursive($_REQUEST, $_STRIP_SLASHES);

> array_walk_recursive($_COOKIE, $_STRIP_SLASHES);

> unset($_STRIP_SLASHES);

> }

>

> And of course you must do this:

>

> function COM_stripslashes($text)

> {

> return $text;

> }

>

> And if you like, update COM_applyFilter() and COM_checkHTML() too so

> that at least lib-common is fixed.

>

> >Only problem is if someone badly upgrades their lib-common.php when

> >upgrading, they may have a gaping hole in their security...

>

> If this is a real concern, rather than unsetting the $_STRIP_SLASHES

> variable at the end of the if, check for it in lib-security or lib-session:

>

> if (get_magic_quotes_gpc() == 1 AND !isset($_STRIP_SLASHES)) {

> die('You lib-common.php is not up to date.');

> }

>

> ----

> Joe Mucchiello

> Throwing Dice Games

> http://www.throwingdice.com

>

> _______________________________________________

> geeklog-devel mailing list

> geeklog-devel at lists.geeklog.net

> http://eight.pairlist.net/mailman/listinfo/geeklog-devel

>

Previous message: [geeklog-devel] code scrubbing: stripslashes
Next message: [geeklog-devel] code scrubbing: stripslashes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the geeklog-devel mailing list