Fou-Lu
07-14-2008, 12:58 AM
* I hope nobody minds this being a tutorial on top of giving code. I do prefer to explain how something works so people who use such code know what it does, and more importantly how it works and why they should use it.
Contents
GPC
magic_quotes_gpc
magic_quotes_runtime
How can this break my code?
How to fix this?
What about _REQUEST?
What we have learned
This is too long, what can I do to shorten it?
GPC
GPC refers to superglobal Get/Post/Cookie. Prior to PHP5, GPC order could be controlled to change the order of these configurations. The order is important as it determines how values are overridden. $_GET['name'] is overridden by $_POST['name'] which in turn is overridden by $_COOKIE['name'].
magic_quotes_gpc
Magic quotes is a builtin directive for PHP to help protect data integrity. The purpose of magic quotes is to escape specific characters: ', ", NULL and \, and helps to protect the integrity of the data. Magic quotes cannot be configured at runtime and is incompatable with database cleaning methods. Its default directive is on.
magic_quotes_runtime
Magic quotes runtime is a builtin directive similar to magic quotes. The runtime functions on incoming data from external data - databases and files for example. Magic quotes runtime can be configured at runtime. Its default directive is off.
How can this break my code?
Magic quotes can damage you're data if used in combination with database cleaning methods (ie: mysql_real_escape_string). This happens since PHP attempts to control you're data by escaping special characters while you also attempt to do the same. Consider a form entry allowing a user to enter their last name. Most names will not create a conflict unless it contains a special character - O'Reilly is a great example of this. Magic quotes will attempt to escape the ' within the name. Before insertion to you're database you also add you're own escaping through mysql_real_escape_string. Here would be the result:
Input: O'Reilly
Magic_quotes: O\'Reilly
mysql_real_escape_string: O\\\'Reilly
How can I fix this?
So what can you do to fix this? Well, you can determine if magic_quotes have been enabled and stripslash each of you're entry fields. I would not recommend the use of stripslashes without verifying the value of magic_quotes_gpc - there are situations where you want to include these characters, such as the above example code. Stripslashes would remove all the escape characters in the above data providing three appearances of the exact same name: O'Reilly.
My recommendation would be to create a strip that's handled and an initialization level - one that takes care of all the data before its ever used. This initialization file can be included into all working scripts to handle these for you. There are several methods of doing this, but the basis is always the same:
Check to see if magic_quotes is enabled
If it is, run you're superglobals through a recursive method taking care of stripslashes. This can be either by reference or by value depending on the working version of PHP.
Lets break this down into steps:
Check to see if magic quotes are enabled. Since PHP 6 will remove magic_quotes, check first if the function exists:
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
Next, lets write the stripslashes function. We'll do it step by step, but I will point out this can be done in a simple single line of code. Step by step is more readable than the condensed version. I prefer adding this function inside the actual check for gpc - no point in wasting memory if its not necessary:
function GPCStrip($arr)
{
The function can be done in several ways. We will do ours the step-by-step way to show what it is doing. The first thing we need to do is determine if the value of $arr is an array, and if it is we will iterate through each item of the array and recursively reassign the values for it:
if (is_array($arr))
{
foreach ($arr AS $arrKey => $arrVal)
{
$arr[$arrKey] = GPCStrip($arrVal);
}
}
Now we need to handle the stripslashes. Since only a string needs to be stripslashed I will use an elseif switch. Please note that you can just stripslash since any primitive data can be stripslashed.
else if (is_string($arr))
{
$arr = stripslashes($arr);
}
And finally we need to return the new value for $arr:
return $arr;
Next we need to actually filter our globals through the newly created function. We will do $_GET, $_POST and $_COOKIE:
$_GET = GPCStrip($_GET);
$_POST = GPCStrip($_POST);
$_COOKIE = GPCStrip($_COOKIE);
Simple right? Good. Now lets do _FILES. These are a little different to handle, specifically the temporary name. Some systems are capable of using \ inside their filenames so we want to account for that in case we happen to get two \ in succession:
if (is_array($_FILES))
{
foreach ($_FILES AS $key => $val)
{
$_FILES[$key]['tmp_name'] = str_replace('\\', '\\\\', $val['tmp_name']);
}
}
$_FILES = GPCStrip($_FILES);
What we have done above is replace any instance of \\ with \\\\. This allows the above function to correctly strip out the additional escaped characters giving us the original in use.
Finally, we want to be lazy and not have to worry about the incoming data being stripslashed. This is handled by the magic_quotes_runtime directive and is generally off. We want to be thorough though so we will also handle that. Like magic_quotes_gpc, magic_quotes_runtime will be removed in PHP 6, so we must check for its existence prior to disabling:
if (function_exists('set_magic_quotes_runtime'))
{
set_magic_quotes_runtime(0);
}
Lets put this all together now:
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
function GPCStrip($arr)
{
if (is_array($arr))
{
foreach ($arr AS $arrKey => $arrVal)
{
$arr[$arrKey] = GPCStrip($arrVal);
}
}
else if (is_string($arr))
{
$arr = stripslashes($arr);
}
return $arr;
}
$_GET = GPCStrip($_GET);
$_POST = GPCStrip($_POST);
$_COOKIE = GPCStrip($_COOKIE);
if (is_array($_FILES))
{
foreach ($_FILES AS $key => $val)
{
$_FILES[$key]['tmp_name'] = str_replace('\\', '\\\\', $val['tmp_name']);
}
}
$_FILES = GPCStrip($_FILES);
}
if (function_exists('set_magic_quotes_runtime'))
{
set_magic_quotes_runtime(0);
}
What about _REQUEST?
_REQUEST superglobal is a double edged sword - it is simple to use when either POST or GET is usable, but creates potential dangers with the inclusions and overriding of COOKIE. This is why request needs to be controlled. If you anticipate the use of REQUEST and only plan on using it for form data, chances are you only need to worry about _GET and _POST. With that said, reconstruct your _REQUEST superglobal with only get and post data:
$_REQUEST = array_merge($_GET, $_POST);
Done and done. I do not normally recommend the use of _REQUEST, but once you have some control on it it becomes quite invaluable.
What we have learned
You have just learned how to control two major directives in PHP - magic_quotes_gpc and magic_quotes_runtime. We have also gone over what you need to do in order to clean you're own data without fear of PHP attempting to do the same. PHP is a fantastic language filled with flexibility, but it is not intuitive enough to do this for you.
This is too long, what can I do to shorten it?
You can do many things to shorten this code, depending on the versions available for you're use. The above code will work from PHP 4.2+, and still function in PHP 6 (even though it will not be necessary it will not break you're code).
Things that can be done to shorten the code include:
Use pass by reference techniques
Use array_map to apply this to a function.
With careful uses of the above you can take this entire block of code down into eight lines of code. I will let you explore how to perform this should you want to try.
I hope you all enjoyed and learned something from my little article about stripping you're variables on a global level. Have fun, and keep on coding!
Contents
GPC
magic_quotes_gpc
magic_quotes_runtime
How can this break my code?
How to fix this?
What about _REQUEST?
What we have learned
This is too long, what can I do to shorten it?
GPC
GPC refers to superglobal Get/Post/Cookie. Prior to PHP5, GPC order could be controlled to change the order of these configurations. The order is important as it determines how values are overridden. $_GET['name'] is overridden by $_POST['name'] which in turn is overridden by $_COOKIE['name'].
magic_quotes_gpc
Magic quotes is a builtin directive for PHP to help protect data integrity. The purpose of magic quotes is to escape specific characters: ', ", NULL and \, and helps to protect the integrity of the data. Magic quotes cannot be configured at runtime and is incompatable with database cleaning methods. Its default directive is on.
magic_quotes_runtime
Magic quotes runtime is a builtin directive similar to magic quotes. The runtime functions on incoming data from external data - databases and files for example. Magic quotes runtime can be configured at runtime. Its default directive is off.
How can this break my code?
Magic quotes can damage you're data if used in combination with database cleaning methods (ie: mysql_real_escape_string). This happens since PHP attempts to control you're data by escaping special characters while you also attempt to do the same. Consider a form entry allowing a user to enter their last name. Most names will not create a conflict unless it contains a special character - O'Reilly is a great example of this. Magic quotes will attempt to escape the ' within the name. Before insertion to you're database you also add you're own escaping through mysql_real_escape_string. Here would be the result:
Input: O'Reilly
Magic_quotes: O\'Reilly
mysql_real_escape_string: O\\\'Reilly
How can I fix this?
So what can you do to fix this? Well, you can determine if magic_quotes have been enabled and stripslash each of you're entry fields. I would not recommend the use of stripslashes without verifying the value of magic_quotes_gpc - there are situations where you want to include these characters, such as the above example code. Stripslashes would remove all the escape characters in the above data providing three appearances of the exact same name: O'Reilly.
My recommendation would be to create a strip that's handled and an initialization level - one that takes care of all the data before its ever used. This initialization file can be included into all working scripts to handle these for you. There are several methods of doing this, but the basis is always the same:
Check to see if magic_quotes is enabled
If it is, run you're superglobals through a recursive method taking care of stripslashes. This can be either by reference or by value depending on the working version of PHP.
Lets break this down into steps:
Check to see if magic quotes are enabled. Since PHP 6 will remove magic_quotes, check first if the function exists:
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
Next, lets write the stripslashes function. We'll do it step by step, but I will point out this can be done in a simple single line of code. Step by step is more readable than the condensed version. I prefer adding this function inside the actual check for gpc - no point in wasting memory if its not necessary:
function GPCStrip($arr)
{
The function can be done in several ways. We will do ours the step-by-step way to show what it is doing. The first thing we need to do is determine if the value of $arr is an array, and if it is we will iterate through each item of the array and recursively reassign the values for it:
if (is_array($arr))
{
foreach ($arr AS $arrKey => $arrVal)
{
$arr[$arrKey] = GPCStrip($arrVal);
}
}
Now we need to handle the stripslashes. Since only a string needs to be stripslashed I will use an elseif switch. Please note that you can just stripslash since any primitive data can be stripslashed.
else if (is_string($arr))
{
$arr = stripslashes($arr);
}
And finally we need to return the new value for $arr:
return $arr;
Next we need to actually filter our globals through the newly created function. We will do $_GET, $_POST and $_COOKIE:
$_GET = GPCStrip($_GET);
$_POST = GPCStrip($_POST);
$_COOKIE = GPCStrip($_COOKIE);
Simple right? Good. Now lets do _FILES. These are a little different to handle, specifically the temporary name. Some systems are capable of using \ inside their filenames so we want to account for that in case we happen to get two \ in succession:
if (is_array($_FILES))
{
foreach ($_FILES AS $key => $val)
{
$_FILES[$key]['tmp_name'] = str_replace('\\', '\\\\', $val['tmp_name']);
}
}
$_FILES = GPCStrip($_FILES);
What we have done above is replace any instance of \\ with \\\\. This allows the above function to correctly strip out the additional escaped characters giving us the original in use.
Finally, we want to be lazy and not have to worry about the incoming data being stripslashed. This is handled by the magic_quotes_runtime directive and is generally off. We want to be thorough though so we will also handle that. Like magic_quotes_gpc, magic_quotes_runtime will be removed in PHP 6, so we must check for its existence prior to disabling:
if (function_exists('set_magic_quotes_runtime'))
{
set_magic_quotes_runtime(0);
}
Lets put this all together now:
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
function GPCStrip($arr)
{
if (is_array($arr))
{
foreach ($arr AS $arrKey => $arrVal)
{
$arr[$arrKey] = GPCStrip($arrVal);
}
}
else if (is_string($arr))
{
$arr = stripslashes($arr);
}
return $arr;
}
$_GET = GPCStrip($_GET);
$_POST = GPCStrip($_POST);
$_COOKIE = GPCStrip($_COOKIE);
if (is_array($_FILES))
{
foreach ($_FILES AS $key => $val)
{
$_FILES[$key]['tmp_name'] = str_replace('\\', '\\\\', $val['tmp_name']);
}
}
$_FILES = GPCStrip($_FILES);
}
if (function_exists('set_magic_quotes_runtime'))
{
set_magic_quotes_runtime(0);
}
What about _REQUEST?
_REQUEST superglobal is a double edged sword - it is simple to use when either POST or GET is usable, but creates potential dangers with the inclusions and overriding of COOKIE. This is why request needs to be controlled. If you anticipate the use of REQUEST and only plan on using it for form data, chances are you only need to worry about _GET and _POST. With that said, reconstruct your _REQUEST superglobal with only get and post data:
$_REQUEST = array_merge($_GET, $_POST);
Done and done. I do not normally recommend the use of _REQUEST, but once you have some control on it it becomes quite invaluable.
What we have learned
You have just learned how to control two major directives in PHP - magic_quotes_gpc and magic_quotes_runtime. We have also gone over what you need to do in order to clean you're own data without fear of PHP attempting to do the same. PHP is a fantastic language filled with flexibility, but it is not intuitive enough to do this for you.
This is too long, what can I do to shorten it?
You can do many things to shorten this code, depending on the versions available for you're use. The above code will work from PHP 4.2+, and still function in PHP 6 (even though it will not be necessary it will not break you're code).
Things that can be done to shorten the code include:
Use pass by reference techniques
Use array_map to apply this to a function.
With careful uses of the above you can take this entire block of code down into eight lines of code. I will let you explore how to perform this should you want to try.
I hope you all enjoyed and learned something from my little article about stripping you're variables on a global level. Have fun, and keep on coding!