Page 1 of 2

removing slashes from magic quotes gpc

Posted: Mon Oct 15, 2007 2:35 am
by s.dot
It's still necessary to make code portable and account for those setups which have magic quotes gpc enabled. I've been using this function for.. who knows how long. But perhaps it could be improved? I also offer it to share with other folks.

True definition of a snippet. =] I include it in a page that gets included on every page (like a db_connect.php or something). Probably should find a setup that allows for it to be in a permanent location.

Code: Select all

if (get_magic_quotes_gpc())
{
    $gpc = array('_GET', '_POST', '_COOKIE');
    
    foreach ($gpc AS $sg)
    {
        if (!empty(${$sg}))
        {
            foreach (${$sg} AS $k => $v)
            {
                ${$sg}[$k] = stripslashes($v);
            }
        }
    }
}

Posted: Mon Oct 15, 2007 4:52 am
by Christopher
I think feyd posted a non-recursive array tree walker somewhere here that works for this.

Posted: Mon Oct 15, 2007 8:06 am
by Zoxive
I would rather just use a .htaccess file.

Code: Select all

php_value register_globals 0
php_value magic_quotes_gpc 0
Saves the overhead of trying to have php fix the problem during execution.

Posted: Mon Oct 15, 2007 8:26 am
by superdezign
Zoxive wrote:I would rather just use a .htaccess file.

Saves the overhead of trying to have php fix the problem during execution.
It's hardly any overhead at all, and applications that require the use of GPC data (such as frameworks and CMS apps), it's good to handle it within the application so that it can be used on any server (even non-Apache servers) without worry.

Posted: Mon Oct 15, 2007 10:36 am
by pickle
You can optimize it a bit:

Code: Select all

if (get_magic_quotes_gpc())
    foreach(array('_GET','_POST','_COOKIE') AS $sg)
    {
        if (!empty(${$sg}))
           ${$sg} = array_map("stripslashes",${$sg});
    }
}

Posted: Tue Oct 16, 2007 2:55 am
by jmut
And what if there is array in this $_POST ?

Code: Select all

 
if (get_magic_quotes_gpc()) {
 
    $in = array(&$_GET, &$_POST, &$_COOKIE);
 
    while (list($k,$v) = each($in)) {
 
        foreach ($v as $key => $val) {
 
            if (!is_array($val)) {
 
                $in[$k][$key] = stripslashes($val);
 
                continue;
 
            }
 
            $in[] =& $in[$k][$key];
 
        }
 
    }
 
    unset($in);
 
}
 

Posted: Tue Oct 16, 2007 9:51 am
by pickle
& what if there is a 2-d array? Good point though - I'm sure the solution will involve either recursion or passing-by-reference somehow - but it's too early in the morning for me to think it through :roll: :wink:

Posted: Tue Oct 16, 2007 12:16 pm
by Jenk
This is why feyd posted the non-recursive array walker for this.

Posted: Tue Oct 16, 2007 12:33 pm
by Christopher
A little early more meet to do a mental diff. what is the difference between jmut's and feyd's? Can we decide on a definitive solution?

Posted: Sat Oct 27, 2007 11:17 pm
by seppo0010
One other think to keep in mind is that if we have a multilevel array, the keys are also escaped. For example,

URL: test.php?a'b[c'd][e'f]=1'2
With magic quotes

Code: Select all

 
array(1) {
  ["a\'b"]=>
  array(1) {
    ["c\'d"]=>
    array(1) {
      ["e\'f"]=>
      string(4) "1\'2"
    }
  }
}
 
Without magic quotes

Code: Select all

 
array(1) {
  ["a'b"]=>
  array(1) {
    ["c'd"]=>
    array(1) {
      ["e'f"]=>
      string(3) "1'2"
    }
  }
}
 
I propose as solution

Code: Select all

 
 
function stripslashes_deep($array) {
    return is_array($array) ? (count($array) > 0 ? array_combine(array_map('stripslashes_deep', array_keys($array)), array_map('stripslashes_deep', array_values($array))) : array()) : stripslashes($array);
}
 
$_GET = stripslashes_deep($_GET);
$_POST = stripslashes_deep($_POST);
$_COOKIE = stripslashes_deep($_COOKIE);
 

Posted: Sun Oct 28, 2007 9:22 pm
by georgeoc
Jenk wrote:This is why feyd posted the non-recursive array walker for this.
Could you remind me where that is please? I've been looking for it for a while!

Posted: Sun Oct 28, 2007 9:34 pm
by feyd
georgeoc wrote:Could you remind me where that is please? I've been looking for it for a while!
I believe Jenk was referring to my replies in ~scottayy's directory tree thread found in Snippets or Critique.

Posted: Mon Oct 29, 2007 1:55 pm
by georgeoc
Thanks feyd - that's the one.

Posted: Mon Oct 29, 2007 3:08 pm
by jmut
seppo0010:
while I agree keys is good ot be escaped...in my opinion it is totally up to dev for this to cause problem..meaning who will ever want to use
such weird keys...and if passed with form spoof...they are just not used anyway....
Thats why I think this is not necessary...but I could be missing good reason ot espcape keys too.

Re: removing slashes from magic quotes gpc

Posted: Fri Apr 18, 2008 3:00 pm
by samb0057
~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.


Recursive function

Code: Select all

if (version_compare(phpversion(), 6) === -1) {
    if (get_magic_quotes_gpc()) {
        function stripinputslashes(&$input) {
            if (is_array($input)) {
                foreach ($input as $key => $value) {
                    $input[$key] = stripinputslashes($value);
                }
            }
            else {
                $input = stripslashes($input);
            }
            return true;
        }
        array_walk_recursive($_GET, 'stripinputslashes');
        array_walk_recursive($_POST, 'stripinputslashes');
        array_walk_recursive($_REQUEST, 'stripinputslashes');
    }
}

~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.