PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Tue Oct 24, 2017 4:46 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 27 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Mon Apr 21, 2008 8:01 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Sam, your code is wrong:

It's missing $_COOKIE.
It's recursive.
It's using array_walk_recursive() despite that it's recursive.
It's missing checks for other magic_quote behaviour settings.
It's using foreach.

Some of these things affect the other proposed solutions as well. I'm amazed noone has come with the One Correct Solution To End All Solutions yet.


Top
 Profile  
 
PostPosted: Wed Apr 23, 2008 8:46 am 
Offline
DevNet Master
User avatar

Joined: Mon Oct 25, 2004 9:29 pm
Posts: 3698
Location: New Jersey, US
If I remember correctly, it's easy enough to fix magic_quotes_gpc for a flat array. From there, it gets a little wanky; according to this comment it varies between PHP4 and PHP5, as well as whether it's top-level or not.


Top
 Profile  
 
PostPosted: Fri May 02, 2008 2:29 pm 
Offline
Forum Contributor
User avatar

Joined: Sun May 07, 2006 5:19 am
Posts: 101
Here's my general purpose quotes cleaner. Accounts for both gpc and sybase (although I've made the sybase part of the code just by looking at the docs, havn't tested it, mainly because I can't get magic_quotes_sybase to work on my xampp installation in the first place :( )

Anyway so here it is:

Syntax: [ Download ] [ Hide ]
<?php
function clean_quotes_gpc(&$stuff)
{
    if( is_array($stuff) )
    {
        array_walk($stuff,'clean_quotes_gpc');
    }
    else
    {
        $stuff = stripslashes($stuff);
    }
}
 
function clean_quotes_sybase(&$stuff)
{
    if( is_array($stuff) )
    {
        array_walk($stuff,'clean_quotes_sybase');
    }
    else
    {      
        $stuff = str_replace("''","'",$stuff);
    }
}
 
function clean_request_vars()
{
    $arrays = array( '_GET', '_POST', '_REQUEST', '_COOKIE' );
    if( ini_get('magic_quotes_sybase') == '1' )
    {
        foreach($arrays as $array)
        {
            global $$array;
            clean_quotes_sybase($$array);
        }
    }
    else if (get_magic_quotes_gpc())
    {
        foreach($arrays as $array)
        {
            global $$array;
            clean_quotes_gpc($$array);
        }
    }
}
 
clean_request_vars();
?>


I don't think there is any need to account for magic_quotes_runtime because that can be set off at runtime.


Top
 Profile  
 
PostPosted: Mon May 19, 2008 9:00 am 
Offline
DevNet Master
User avatar

Joined: Mon Sep 19, 2005 6:24 am
Posts: 3587
Location: London
You don't need to use the global keyword. $_GET/POST/etc. arrays are already super globals.


Top
 Profile  
 
PostPosted: Fri May 23, 2008 4:35 am 
Offline
Forum Contributor
User avatar

Joined: Sun May 07, 2006 5:19 am
Posts: 101
Jenk wrote:
You don't need to use the global keyword. $_GET/POST/etc. arrays are already super globals.


Not when you use them as variable variables.

Syntax: [ Download ] [ Hide ]
function foo()
{
    $get = '_GET';
    var_dump($$get); // NULL
}


Top
 Profile  
 
PostPosted: Fri May 30, 2008 12:32 pm 
Offline
DevNet Master
User avatar

Joined: Mon Sep 19, 2005 6:24 am
Posts: 3587
Location: London
Then why not just do:
Syntax: [ Download ] [ Hide ]
$arrays = array( $_GET, $_POST, $_REQUEST, $_COOKIE );


Top
 Profile  
 
PostPosted: Fri May 30, 2008 3:31 pm 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6883
I am surprised this thread is still alive. This is all I use. Never had a problem with it.

Syntax: [ Download ] [ Hide ]
 
function stripslashes_deep($value)
{
    return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
}
 
// disable magic quotes..
if (get_magic_quotes_gpc()) {
    $_POST    = array_map('stripslashes_deep', $_POST);
    $_GET     = array_map('stripslashes_deep', $_GET);
    $_COOKIE  = array_map('stripslashes_deep', $_COOKIE);
}
 

_________________
Image


Top
 Profile  
 
PostPosted: Sat May 31, 2008 7:22 am 
Offline
Forum Contributor
User avatar

Joined: Sun May 07, 2006 5:19 am
Posts: 101
Jenk wrote:
Then why not just do:
Syntax: [ Download ] [ Hide ]
$arrays = array( $_GET, $_POST, $_REQUEST, $_COOKIE );


Won't that create a copy of $_GET, etc. so if i stripslashes() on it, it won't reflect the original global arrays (I think).

astions: Small and simple, I like. The only reason mine was longer because it accounted for magic_quotes_sybase also.


Top
 Profile  
 
PostPosted: Sat May 31, 2008 7:57 am 
Offline
DevNet Master

Joined: Thu Oct 06, 2005 3:57 pm
Posts: 3360
astions wrote:
I am surprised this thread is still alive. This is all I use. Never had a problem with it.

Syntax: [ Download ] [ Hide ]
 
function stripslashes_deep($value)
{
    return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
}
 
// disable magic quotes..
if (get_magic_quotes_gpc()) {
    $_POST    = array_map('stripslashes_deep', $_POST);
    $_GET     = array_map('stripslashes_deep', $_GET);
    $_COOKIE  = array_map('stripslashes_deep', $_COOKIE);
}
 

I'm not sure, but isn't it possible to crash PHP if someone would supply a very deep multidimensional array?
Syntax: [ Download ] [ Hide ]
 
$str = str_repeat("[]", 100000);
file_get_contents(http://yoursite.com/script.php?foo={$str});
 

That's at least what Ilia says in his book and why he advices this function, which flattens the input array:
Syntax: [ Download ] [ Hide ]
 
if (get_magic_quotes_gpc()) {
        $input = array(&$_GET, &$_POST, &$_COOKIE, &$_ENV, &$_SERVER);
        while (list($k,$v) = each($input)) {
                foreach ($v as $key => $val) {
                        if (!is_array($val)) {
                                $input[$k][$key] = stripslashes($val);
                                continue;
                        }
                        $input[] =& $input[$k][$key];
                }
        }
        unset($input);
}
 


Top
 Profile  
 
PostPosted: Sat May 31, 2008 9:35 am 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6883
The below line:

Syntax: [ Download ] [ Hide ]
 
$_POST = array_map('stripslashes_deep_test', $_POST);
 


Will crash Apache with an array 510 levels deep. 509 is ok.

Here is the test code. Your results may vary.

Syntax: [ Download ] [ Hide ]
 
$depth = 510;
$_POST = array();
$string = '';
 
for ($i = 0; $i < $depth; $i++)
{
    $string .= "['0']";
    eval("\$_POST{$string} = array(0);");
}
 
function stripslashes_deep_test($value)
{
    return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
}
 
// disable magic quotes..
if (true)
{
    $_POST = array_map('stripslashes_deep_test', $_POST);
}
 
echo '<pre style="font-size: 12px;">', print_r($_POST, true), '</pre>';
 
 

_________________
Image


Top
 Profile  
 
PostPosted: Mon Feb 18, 2013 6:12 am 
Offline
Tranquility In Moderation
User avatar

Joined: Sun Feb 06, 2005 8:18 pm
Posts: 5001
Location: Indiana
Oh, wow. Is there a rule here against rehashing old threads?

I came back to this thread because I was working on a new project that had a similar function but didn't do it recursively and I wanted to update it with mine. Then I found the function I'm using on a different project.

Anyways, I've been using this for a long time (since after this thread I started, obviously).

Syntax: [ Download ] [ Hide ]
function func_stripGPC($arr)
{
        if (is_array($arr))
        {
                foreach ($arr AS $k => $v)
                {
                        $arr[$k] = func_stripGPC($v);
                }
        } else
        {
                $arr = stripslashes($arr);
        }
               
        return $arr;
}

$magicQuotesGPC = function_exists('get_magic_quotes_gpc') ? get_magic_quotes_gpc() : false;
$magicQuotesSybase = (bool) strtolower(ini_get('magic_quotes_sybase'));

if ($magicQuotesGPC || $magicQuotesSybase)
{
        foreach (array('_GET', '_POST', '_COOKIE') AS $sg)
        {
                ${$sg} = func_stripGPC(${$sg});
        }
}


My question is, doesn't this handle arrays within arrays.. such as multidimensional arrays in post? I assume that it does because it's recursive so I don't understand a few posts above. Also, is there still the apache bug (i assume it's a bug, if not a limitation) where 510+ levels will crash it?

_________________
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.


Top
 Profile  
 
PostPosted: Mon Feb 18, 2013 8:54 am 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6883
Yeah this post contains information that's out of date.

_________________
Image


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 27 posts ]  Go to page Previous  1, 2

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group