Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Aug 2003
    Posts
    565
    Thanks
    0
    Thanked 0 Times in 0 Posts

    safely addslashes even if magic_quotes_gpc is on == array problems.

    Hi

    I use the addslahes() function (among others) to sanatize incoming data. To make sure that the code would be portable on a server with magic_quotes_gpc turned on, I use this bit of code on top of each page dealing with $_GET, $_POST or $_COOKIES:
    PHP Code:
    if ( get_magic_quotes_gpc() ) { 
        
    $_GET array_map('stripslashes',$_GET); 
        
    $_POST array_map('stripslashes',$_POST); 
        
    $_COOKIE array_map('stripslashes',$_COOKIE); 

    problem: it seems that arrays don't like this solution... I get nasty messages when using the implode() function.

    What would be a better solution? Just using a .htaccess file? But then, what if the site has to be moved on server not allowing them?

    Thanks in advance for your support.


  • #2
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    you probably want a bit of recursion , though only if you are sure you want ALL the _REQUEST data sanitized..

    PHP Code:
    <?
    $_REQUEST
    ['this']="hello' innit";
    $_REQUEST['that']=array( "hello' innit" , array( "greblit's" ) ) ;

    function 
    cleanup( &$mixed ){
        foreach( 
    $mixed as $k=>$v ){
            if(
    is_array($v)){
                
    cleanup($mixed[$k]);
            }else{
                
    $mixed[$k] = mysql_escape_string$v ) ;
            }
        }
    }

    cleanup($_REQUEST);
    print_r($_REQUEST);
    ?>
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #3
    Regular Coder
    Join Date
    Aug 2003
    Posts
    565
    Thanks
    0
    Thanked 0 Times in 0 Posts
    thanks a lot

    I won't have time to give it a try before this weekend so... if you don't have news by monday, it means that eveyrthing is ok

    thanks a again.

  • #4
    Regular Coder
    Join Date
    Aug 2003
    Posts
    565
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I am not sure if I correctly understood the use of this function, but I'm a bit slow sometimes

    Let's take this example:
    PHP Code:
    <input type="hidden" name="var[]" value="<?=$row['varID']?>" />
    within a loop displaying all the vars.

    Now let's say that I want to delete a few lines:
    PHP Code:
    $varID addslashes(implode(", "$_POST["varID"]));
    $userID $_SESSION['userID'];

    $sql
    "DELETE FROM table 
    WHERE varID IN ("
    $varID ")
    and userID = $userID"

    I am adding slashes to sanatize incoming data. But what if magic_quotes_gpc was on on anothzer server? The above code would not be portable.

    Therefore, I use the superglobals stripslashes() trick to solve this problem, which causes problems to arrays.
    PHP Code:
    if ( get_magic_quotes_gpc() ) {
        
    $_POST array_map('stripslashes',$_POST);

    As far as I understand your function, it just checks if it has to add slashes or not. But I will need to sanatize arrays elements anyways.

    hum... I hope that I am clear but I guess I am not

  • #5
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    Hi , my fuction checks nothing apart from the existance of arrays, it simply addslashes() (or in that code mysql_escape_strings()'s) all $_REQUEST data recursively , in other words if there is an array in the $_REQUEST data (var[] in your example) it digs into that array as well , if there is an array within that , same again etc.

    so the only difference between it and array_map() is that it is recursive , as you note you should however wrap that code in a check for the current magic_quotes setting...

    in fact there may even be a recursive array callback function , I just don't know if there is which one it is

    PHP Code:
    <?
    function cleanup( &$mixed ){ 
        foreach( 
    $mixed as $k=>$v ){ 
            if(
    is_array($v)){ 
                
    /*an array ? run cleanup() on it*/
                
    cleanup($mixed[$k]); 
            }else{ 
                
    $mixed[$k] = mysql_escape_string$v ) ; 
            } 
        } 


     if ( !
    get_magic_quotes_gpc() ) { 
        
    cleanup$_POST ) ;
    }  
    ?>
    Last edited by firepages; 06-07-2004 at 11:55 AM.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #6
    Regular Coder
    Join Date
    Aug 2003
    Posts
    565
    Thanks
    0
    Thanked 0 Times in 0 Posts
    ok I think I got it this time. Thanks a lot for your great help. As my main concern was portability and that I have already taken care of addingslashes to all incoming vars, my task will be to strip slashes if magic_quotes_gpc is on. So would it be a good idea to use your function this way, stripping slashes instead of adding them?
    PHP Code:
    function cleanup( &$mixed ){  
        foreach( 
    $mixed as $k=>$v ){  
            if(
    is_array($v)){  
                
    /*an array ? run cleanup() on it*/ 
                
    cleanup($mixed[$k]);  
            }else{  
                
    $mixed[$k] = stripslashes$v ) ;  
            }  
        }  
    }  

     if ( 
    get_magic_quotes_gpc() ) {  
        
    cleanup$_POST ) ; 

    does it sound good? Is there something evil that I will spot in the future, when it will be too late?
    once again, thanks for your support.

    edit: note that from now on I will clean my vars using your first example. I thought that having magic_quotes_gpc turned on was weaker than using addslashes (and even weaker than mysql:escape_string since it takes care of more stuff). Do magic_quotes_gpc and addslashes perform the exact same task with the same efficiency?
    Last edited by jeskel; 06-07-2004 at 07:48 PM.

  • #7
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    Hi , yes if magic_quotes are on then internally PHP performs an addslashes() on the data so they do exactly the same job.

    The possible evilness is when your GPC data is for parsing and not for say database insertion , e.g. string operations on escaped data may or may not work as expected (though mostly this is not an issue) , e.g. when you add an escaped string into the DB the escape char '\' is not actually inserted into the DB (but does stop any errors) , but until that point however you may need to account for the extra '\' s that may be in your string data , mostly they too will be ignored , but not always in e.g. eval()'s etc.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •