removing slashes from magic quotes gpc

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: removing slashes from magic quotes gpc

Post by Mordred »

Sam, your code is wrong:

It's missing $_COOKIE.
It's recursive.
It's using array_walk_recursive() despite that it's recursive.
It's missing checks for other magic_quote behaviour settings.
It's using foreach.

Some of these things affect the other proposed solutions as well. I'm amazed noone has come with the One Correct Solution To End All Solutions yet.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Re: removing slashes from magic quotes gpc

Post by Ambush Commander »

If I remember correctly, it's easy enough to fix magic_quotes_gpc for a flat array. From there, it gets a little wanky; according to this comment it varies between PHP4 and PHP5, as well as whether it's top-level or not.
User avatar
Verminox
Forum Contributor
Posts: 101
Joined: Sun May 07, 2006 5:19 am

Re: removing slashes from magic quotes gpc

Post by Verminox »

Here's my general purpose quotes cleaner. Accounts for both gpc and sybase (although I've made the sybase part of the code just by looking at the docs, havn't tested it, mainly because I can't get magic_quotes_sybase to work on my xampp installation in the first place :( )

Anyway so here it is:

Code: Select all

<?php
function clean_quotes_gpc(&$stuff)
{
    if( is_array($stuff) )
    {
        array_walk($stuff,'clean_quotes_gpc');
    }
    else
    {
        $stuff = stripslashes($stuff);
    }
}
 
function clean_quotes_sybase(&$stuff)
{
    if( is_array($stuff) )
    {
        array_walk($stuff,'clean_quotes_sybase');
    }
    else
    {       
        $stuff = str_replace("''","'",$stuff);
    }
}
 
function clean_request_vars()
{
    $arrays = array( '_GET', '_POST', '_REQUEST', '_COOKIE' );
    if( ini_get('magic_quotes_sybase') == '1' )
    {
        foreach($arrays as $array)
        {
            global $$array;
            clean_quotes_sybase($$array);
        }
    }
    else if (get_magic_quotes_gpc())
    {
        foreach($arrays as $array)
        {
            global $$array;
            clean_quotes_gpc($$array);
        }
    }
}
 
clean_request_vars();
?>
I don't think there is any need to account for magic_quotes_runtime because that can be set off at runtime.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Re: removing slashes from magic quotes gpc

Post by Jenk »

You don't need to use the global keyword. $_GET/POST/etc. arrays are already super globals.
User avatar
Verminox
Forum Contributor
Posts: 101
Joined: Sun May 07, 2006 5:19 am

Re: removing slashes from magic quotes gpc

Post by Verminox »

Jenk wrote:You don't need to use the global keyword. $_GET/POST/etc. arrays are already super globals.
Not when you use them as variable variables.

Code: Select all

function foo()
{
    $get = '_GET';
    var_dump($$get); // NULL
}
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Re: removing slashes from magic quotes gpc

Post by Jenk »

Then why not just do:

Code: Select all

$arrays = array( $_GET, $_POST, $_REQUEST, $_COOKIE );
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: removing slashes from magic quotes gpc

Post by Benjamin »

I am surprised this thread is still alive. This is all I use. Never had a problem with it.

Code: Select all

 
function stripslashes_deep($value)
{
    return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
}
 
// disable magic quotes..
if (get_magic_quotes_gpc()) {
    $_POST    = array_map('stripslashes_deep', $_POST);
    $_GET     = array_map('stripslashes_deep', $_GET);
    $_COOKIE  = array_map('stripslashes_deep', $_COOKIE);
}
 
User avatar
Verminox
Forum Contributor
Posts: 101
Joined: Sun May 07, 2006 5:19 am

Re: removing slashes from magic quotes gpc

Post by Verminox »

Jenk wrote:Then why not just do:

Code: Select all

$arrays = array( $_GET, $_POST, $_REQUEST, $_COOKIE );
Won't that create a copy of $_GET, etc. so if i stripslashes() on it, it won't reflect the original global arrays (I think).

astions: Small and simple, I like. The only reason mine was longer because it accounted for magic_quotes_sybase also.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: removing slashes from magic quotes gpc

Post by matthijs »

astions wrote:I am surprised this thread is still alive. This is all I use. Never had a problem with it.

Code: Select all

 
function stripslashes_deep($value)
{
    return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
}
 
// disable magic quotes..
if (get_magic_quotes_gpc()) {
    $_POST    = array_map('stripslashes_deep', $_POST);
    $_GET     = array_map('stripslashes_deep', $_GET);
    $_COOKIE  = array_map('stripslashes_deep', $_COOKIE);
}
 
I'm not sure, but isn't it possible to crash PHP if someone would supply a very deep multidimensional array?

Code: Select all

 
$str = str_repeat("[]", 100000);
file_get_contents(http://yoursite.com/script.php?foo={$str});
 
That's at least what Ilia says in his book and why he advices this function, which flattens the input array:

Code: Select all

 
if (get_magic_quotes_gpc()) { 
        $input = array(&$_GET, &$_POST, &$_COOKIE, &$_ENV, &$_SERVER); 
        while (list($k,$v) = each($input)) { 
                foreach ($v as $key => $val) { 
                        if (!is_array($val)) { 
                                $input[$k][$key] = stripslashes($val); 
                                continue; 
                        } 
                        $input[] =& $input[$k][$key]; 
                } 
        } 
        unset($input); 
} 
 
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: removing slashes from magic quotes gpc

Post by Benjamin »

The below line:

Code: Select all

 
$_POST = array_map('stripslashes_deep_test', $_POST);
 
Will crash Apache with an array 510 levels deep. 509 is ok.

Here is the test code. Your results may vary.

Code: Select all

 
$depth = 510;
$_POST = array();
$string = '';
 
for ($i = 0; $i < $depth; $i++)
{
    $string .= "['0']";
    eval("\$_POST{$string} = array(0);");
}
 
function stripslashes_deep_test($value)
{
    return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
}
 
// disable magic quotes..
if (true)
{
    $_POST = array_map('stripslashes_deep_test', $_POST);
}
 
echo '<pre style="font-size: 12px;">', print_r($_POST, true), '</pre>';
 
 
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: removing slashes from magic quotes gpc

Post by s.dot »

Oh, wow. Is there a rule here against rehashing old threads?

I came back to this thread because I was working on a new project that had a similar function but didn't do it recursively and I wanted to update it with mine. Then I found the function I'm using on a different project.

Anyways, I've been using this for a long time (since after this thread I started, obviously).

Code: Select all

function func_stripGPC($arr)
{
	if (is_array($arr))
	{
		foreach ($arr AS $k => $v)
		{
			$arr[$k] = func_stripGPC($v);
		}
	} else
	{
		$arr = stripslashes($arr);
	}
		
	return $arr;
}

$magicQuotesGPC = function_exists('get_magic_quotes_gpc') ? get_magic_quotes_gpc() : false;
$magicQuotesSybase = (bool) strtolower(ini_get('magic_quotes_sybase'));

if ($magicQuotesGPC || $magicQuotesSybase)
{
	foreach (array('_GET', '_POST', '_COOKIE') AS $sg)
	{
		${$sg} = func_stripGPC(${$sg});
	}
}
My question is, doesn't this handle arrays within arrays.. such as multidimensional arrays in post? I assume that it does because it's recursive so I don't understand a few posts above. Also, is there still the apache bug (i assume it's a bug, if not a limitation) where 510+ levels will crash it?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: removing slashes from magic quotes gpc

Post by Benjamin »

Yeah this post contains information that's out of date.
Post Reply