Page 2 of 2

Re: removing slashes from magic quotes gpc

Posted: Mon Apr 21, 2008 8:01 am
by Mordred
Sam, your code is wrong:

It's missing $_COOKIE.
It's recursive.
It's using array_walk_recursive() despite that it's recursive.
It's missing checks for other magic_quote behaviour settings.
It's using foreach.

Some of these things affect the other proposed solutions as well. I'm amazed noone has come with the One Correct Solution To End All Solutions yet.

Re: removing slashes from magic quotes gpc

Posted: Wed Apr 23, 2008 8:46 am
by Ambush Commander
If I remember correctly, it's easy enough to fix magic_quotes_gpc for a flat array. From there, it gets a little wanky; according to this comment it varies between PHP4 and PHP5, as well as whether it's top-level or not.

Re: removing slashes from magic quotes gpc

Posted: Fri May 02, 2008 2:29 pm
by Verminox
Here's my general purpose quotes cleaner. Accounts for both gpc and sybase (although I've made the sybase part of the code just by looking at the docs, havn't tested it, mainly because I can't get magic_quotes_sybase to work on my xampp installation in the first place :( )

Anyway so here it is:

Code: Select all

<?php
function clean_quotes_gpc(&$stuff)
{
    if( is_array($stuff) )
    {
        array_walk($stuff,'clean_quotes_gpc');
    }
    else
    {
        $stuff = stripslashes($stuff);
    }
}
 
function clean_quotes_sybase(&$stuff)
{
    if( is_array($stuff) )
    {
        array_walk($stuff,'clean_quotes_sybase');
    }
    else
    {       
        $stuff = str_replace("''","'",$stuff);
    }
}
 
function clean_request_vars()
{
    $arrays = array( '_GET', '_POST', '_REQUEST', '_COOKIE' );
    if( ini_get('magic_quotes_sybase') == '1' )
    {
        foreach($arrays as $array)
        {
            global $$array;
            clean_quotes_sybase($$array);
        }
    }
    else if (get_magic_quotes_gpc())
    {
        foreach($arrays as $array)
        {
            global $$array;
            clean_quotes_gpc($$array);
        }
    }
}
 
clean_request_vars();
?>
I don't think there is any need to account for magic_quotes_runtime because that can be set off at runtime.

Re: removing slashes from magic quotes gpc

Posted: Mon May 19, 2008 9:00 am
by Jenk
You don't need to use the global keyword. $_GET/POST/etc. arrays are already super globals.

Re: removing slashes from magic quotes gpc

Posted: Fri May 23, 2008 4:35 am
by Verminox
Jenk wrote:You don't need to use the global keyword. $_GET/POST/etc. arrays are already super globals.
Not when you use them as variable variables.

Code: Select all

function foo()
{
    $get = '_GET';
    var_dump($$get); // NULL
}

Re: removing slashes from magic quotes gpc

Posted: Fri May 30, 2008 12:32 pm
by Jenk
Then why not just do:

Code: Select all

$arrays = array( $_GET, $_POST, $_REQUEST, $_COOKIE );

Re: removing slashes from magic quotes gpc

Posted: Fri May 30, 2008 3:31 pm
by Benjamin
I am surprised this thread is still alive. This is all I use. Never had a problem with it.

Code: Select all

 
function stripslashes_deep($value)
{
    return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
}
 
// disable magic quotes..
if (get_magic_quotes_gpc()) {
    $_POST    = array_map('stripslashes_deep', $_POST);
    $_GET     = array_map('stripslashes_deep', $_GET);
    $_COOKIE  = array_map('stripslashes_deep', $_COOKIE);
}
 

Re: removing slashes from magic quotes gpc

Posted: Sat May 31, 2008 7:22 am
by Verminox
Jenk wrote:Then why not just do:

Code: Select all

$arrays = array( $_GET, $_POST, $_REQUEST, $_COOKIE );
Won't that create a copy of $_GET, etc. so if i stripslashes() on it, it won't reflect the original global arrays (I think).

astions: Small and simple, I like. The only reason mine was longer because it accounted for magic_quotes_sybase also.

Re: removing slashes from magic quotes gpc

Posted: Sat May 31, 2008 7:57 am
by matthijs
astions wrote:I am surprised this thread is still alive. This is all I use. Never had a problem with it.

Code: Select all

 
function stripslashes_deep($value)
{
    return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
}
 
// disable magic quotes..
if (get_magic_quotes_gpc()) {
    $_POST    = array_map('stripslashes_deep', $_POST);
    $_GET     = array_map('stripslashes_deep', $_GET);
    $_COOKIE  = array_map('stripslashes_deep', $_COOKIE);
}
 
I'm not sure, but isn't it possible to crash PHP if someone would supply a very deep multidimensional array?

Code: Select all

 
$str = str_repeat("[]", 100000);
file_get_contents(http://yoursite.com/script.php?foo={$str});
 
That's at least what Ilia says in his book and why he advices this function, which flattens the input array:

Code: Select all

 
if (get_magic_quotes_gpc()) { 
        $input = array(&$_GET, &$_POST, &$_COOKIE, &$_ENV, &$_SERVER); 
        while (list($k,$v) = each($input)) { 
                foreach ($v as $key => $val) { 
                        if (!is_array($val)) { 
                                $input[$k][$key] = stripslashes($val); 
                                continue; 
                        } 
                        $input[] =& $input[$k][$key]; 
                } 
        } 
        unset($input); 
} 
 

Re: removing slashes from magic quotes gpc

Posted: Sat May 31, 2008 9:35 am
by Benjamin
The below line:

Code: Select all

 
$_POST = array_map('stripslashes_deep_test', $_POST);
 
Will crash Apache with an array 510 levels deep. 509 is ok.

Here is the test code. Your results may vary.

Code: Select all

 
$depth = 510;
$_POST = array();
$string = '';
 
for ($i = 0; $i < $depth; $i++)
{
    $string .= "['0']";
    eval("\$_POST{$string} = array(0);");
}
 
function stripslashes_deep_test($value)
{
    return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
}
 
// disable magic quotes..
if (true)
{
    $_POST = array_map('stripslashes_deep_test', $_POST);
}
 
echo '<pre style="font-size: 12px;">', print_r($_POST, true), '</pre>';
 
 

Re: removing slashes from magic quotes gpc

Posted: Mon Feb 18, 2013 5:12 am
by s.dot
Oh, wow. Is there a rule here against rehashing old threads?

I came back to this thread because I was working on a new project that had a similar function but didn't do it recursively and I wanted to update it with mine. Then I found the function I'm using on a different project.

Anyways, I've been using this for a long time (since after this thread I started, obviously).

Code: Select all

function func_stripGPC($arr)
{
	if (is_array($arr))
	{
		foreach ($arr AS $k => $v)
		{
			$arr[$k] = func_stripGPC($v);
		}
	} else
	{
		$arr = stripslashes($arr);
	}
		
	return $arr;
}

$magicQuotesGPC = function_exists('get_magic_quotes_gpc') ? get_magic_quotes_gpc() : false;
$magicQuotesSybase = (bool) strtolower(ini_get('magic_quotes_sybase'));

if ($magicQuotesGPC || $magicQuotesSybase)
{
	foreach (array('_GET', '_POST', '_COOKIE') AS $sg)
	{
		${$sg} = func_stripGPC(${$sg});
	}
}
My question is, doesn't this handle arrays within arrays.. such as multidimensional arrays in post? I assume that it does because it's recursive so I don't understand a few posts above. Also, is there still the apache bug (i assume it's a bug, if not a limitation) where 510+ levels will crash it?

Re: removing slashes from magic quotes gpc

Posted: Mon Feb 18, 2013 7:54 am
by Benjamin
Yeah this post contains information that's out of date.