removing slashes from magic quotes gpc
Moderator: General Moderators
Re: removing slashes from magic quotes gpc
Sam, your code is wrong:
It's missing $_COOKIE.
It's recursive.
It's using array_walk_recursive() despite that it's recursive.
It's missing checks for other magic_quote behaviour settings.
It's using foreach.
Some of these things affect the other proposed solutions as well. I'm amazed noone has come with the One Correct Solution To End All Solutions yet.
It's missing $_COOKIE.
It's recursive.
It's using array_walk_recursive() despite that it's recursive.
It's missing checks for other magic_quote behaviour settings.
It's using foreach.
Some of these things affect the other proposed solutions as well. I'm amazed noone has come with the One Correct Solution To End All Solutions yet.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Re: removing slashes from magic quotes gpc
If I remember correctly, it's easy enough to fix magic_quotes_gpc for a flat array. From there, it gets a little wanky; according to this comment it varies between PHP4 and PHP5, as well as whether it's top-level or not.
Re: removing slashes from magic quotes gpc
Here's my general purpose quotes cleaner. Accounts for both gpc and sybase (although I've made the sybase part of the code just by looking at the docs, havn't tested it, mainly because I can't get magic_quotes_sybase to work on my xampp installation in the first place
)
Anyway so here it is:
I don't think there is any need to account for magic_quotes_runtime because that can be set off at runtime.
Anyway so here it is:
Code: Select all
<?php
function clean_quotes_gpc(&$stuff)
{
if( is_array($stuff) )
{
array_walk($stuff,'clean_quotes_gpc');
}
else
{
$stuff = stripslashes($stuff);
}
}
function clean_quotes_sybase(&$stuff)
{
if( is_array($stuff) )
{
array_walk($stuff,'clean_quotes_sybase');
}
else
{
$stuff = str_replace("''","'",$stuff);
}
}
function clean_request_vars()
{
$arrays = array( '_GET', '_POST', '_REQUEST', '_COOKIE' );
if( ini_get('magic_quotes_sybase') == '1' )
{
foreach($arrays as $array)
{
global $$array;
clean_quotes_sybase($$array);
}
}
else if (get_magic_quotes_gpc())
{
foreach($arrays as $array)
{
global $$array;
clean_quotes_gpc($$array);
}
}
}
clean_request_vars();
?>Re: removing slashes from magic quotes gpc
You don't need to use the global keyword. $_GET/POST/etc. arrays are already super globals.
Re: removing slashes from magic quotes gpc
Not when you use them as variable variables.Jenk wrote:You don't need to use the global keyword. $_GET/POST/etc. arrays are already super globals.
Code: Select all
function foo()
{
$get = '_GET';
var_dump($$get); // NULL
}Re: removing slashes from magic quotes gpc
Then why not just do:
Code: Select all
$arrays = array( $_GET, $_POST, $_REQUEST, $_COOKIE );Re: removing slashes from magic quotes gpc
I am surprised this thread is still alive. This is all I use. Never had a problem with it.
Code: Select all
function stripslashes_deep($value)
{
return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
}
// disable magic quotes..
if (get_magic_quotes_gpc()) {
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
Re: removing slashes from magic quotes gpc
Won't that create a copy of $_GET, etc. so if i stripslashes() on it, it won't reflect the original global arrays (I think).Jenk wrote:Then why not just do:Code: Select all
$arrays = array( $_GET, $_POST, $_REQUEST, $_COOKIE );
astions: Small and simple, I like. The only reason mine was longer because it accounted for magic_quotes_sybase also.
Re: removing slashes from magic quotes gpc
I'm not sure, but isn't it possible to crash PHP if someone would supply a very deep multidimensional array?astions wrote:I am surprised this thread is still alive. This is all I use. Never had a problem with it.
Code: Select all
function stripslashes_deep($value) { return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); } // disable magic quotes.. if (get_magic_quotes_gpc()) { $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); }
Code: Select all
$str = str_repeat("[]", 100000);
file_get_contents(http://yoursite.com/script.php?foo={$str});
Code: Select all
if (get_magic_quotes_gpc()) {
$input = array(&$_GET, &$_POST, &$_COOKIE, &$_ENV, &$_SERVER);
while (list($k,$v) = each($input)) {
foreach ($v as $key => $val) {
if (!is_array($val)) {
$input[$k][$key] = stripslashes($val);
continue;
}
$input[] =& $input[$k][$key];
}
}
unset($input);
}
Re: removing slashes from magic quotes gpc
The below line:
Will crash Apache with an array 510 levels deep. 509 is ok.
Here is the test code. Your results may vary.
Code: Select all
$_POST = array_map('stripslashes_deep_test', $_POST);
Here is the test code. Your results may vary.
Code: Select all
$depth = 510;
$_POST = array();
$string = '';
for ($i = 0; $i < $depth; $i++)
{
$string .= "['0']";
eval("\$_POST{$string} = array(0);");
}
function stripslashes_deep_test($value)
{
return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
}
// disable magic quotes..
if (true)
{
$_POST = array_map('stripslashes_deep_test', $_POST);
}
echo '<pre style="font-size: 12px;">', print_r($_POST, true), '</pre>';
Re: removing slashes from magic quotes gpc
Oh, wow. Is there a rule here against rehashing old threads?
I came back to this thread because I was working on a new project that had a similar function but didn't do it recursively and I wanted to update it with mine. Then I found the function I'm using on a different project.
Anyways, I've been using this for a long time (since after this thread I started, obviously).
My question is, doesn't this handle arrays within arrays.. such as multidimensional arrays in post? I assume that it does because it's recursive so I don't understand a few posts above. Also, is there still the apache bug (i assume it's a bug, if not a limitation) where 510+ levels will crash it?
I came back to this thread because I was working on a new project that had a similar function but didn't do it recursively and I wanted to update it with mine. Then I found the function I'm using on a different project.
Anyways, I've been using this for a long time (since after this thread I started, obviously).
Code: Select all
function func_stripGPC($arr)
{
if (is_array($arr))
{
foreach ($arr AS $k => $v)
{
$arr[$k] = func_stripGPC($v);
}
} else
{
$arr = stripslashes($arr);
}
return $arr;
}
$magicQuotesGPC = function_exists('get_magic_quotes_gpc') ? get_magic_quotes_gpc() : false;
$magicQuotesSybase = (bool) strtolower(ini_get('magic_quotes_sybase'));
if ($magicQuotesGPC || $magicQuotesSybase)
{
foreach (array('_GET', '_POST', '_COOKIE') AS $sg)
{
${$sg} = func_stripGPC(${$sg});
}
}Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Re: removing slashes from magic quotes gpc
Yeah this post contains information that's out of date.