magic_quotes.. should defeated once and for all

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

magic_quotes.. should defeated once and for all

Post by Ambush Commander »

We all know that Magic Quotes is evil. However, we're not exactly sure how to combat it.

The simplest solution, after all, is to recursively call stripslashes() on all superglobal arrays (it's not just GPC, it's EGPCSR.) However, this runs into hard to diagnose bugs regarding escaping of array keys in the request.

It appears no one is really sure how combinations of operating systems, PHP versions, and PHP configuration affects escaping of data. So, I'd like to make a call for people to compile a comprehensive table of all possible relevant variables and the escaping of data.

I've already run into trouble trying to implement systems based off of the comments in the PHP manual, mainly because the comments are property of the PHP Documentation group, and are licensed under the Open Publication License, which is not a code license. This puts us in murky license/copyright lawyers, and does not seem to be worth the trouble. The final result of this work, then, will be Public Domain.

Switching PHP configurations as I go down the 4.x series is probably going to be the biggest bugger, but if we can get a comprehensive solution out there, well, we can let this issue lie. Unless someone has already comprehensively solved it. ;)
Last edited by Ambush Commander on Mon Jan 02, 2006 8:24 pm, edited 1 time in total.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

The fix_magic_quotes() function seems pretty comprehensive:

http://www.nyphp.org/phundamentals/stor ... ieving.php

It also takes all of the magic quotes settings into account, not just magic_quotes_gpc.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

What's the copyright status of the code and the article? (I see a little All Rights Reserved).

Edit - Also, the code doesn't seem to take "key" escaping into account.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

"key" escaping? I can only assume that's a variation on the typical "value" escaping with a similar solution. There is some other weird form of automated escaping that slips my mind at the moment. Occurs when reading in files, but is not related to the magic_quotes_runtime or gpc settings...
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

Try this... :)

Code: Select all

if (get_magic_quotes_gpc())
{
	function strip_gpc_slashes(&$array)
	{
		if (!is_array ($array))
			return;
		foreach($array as $key => $val)
			is_array( $array[$key] ) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes ($array[$key]));
	}
	$gpc = array(&$_GET, &$_POST, &$_COOKIE);
	strip_gpc_slashes($gpc);
}
I use this in our game and have tried just about every PHP configuration with different php.ini settings and it works like a charm.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Magic quote user wanting to reform thanks AKA Panama Jack for great post... :oops: :lol: :oops:
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Try accessing a page with this get data and echo it out:

page.php?array[his%27_room]=foo%27bar

I assume that your application never ran into to trouble because it didn't use complex arrays in this manner.
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

Ambush Commander wrote:Try accessing a page with this get data and echo it out:

page.php?array[his%27_room]=foo%27bar

I assume that your application never ran into to trouble because it didn't use complex arrays in this manner.
No, because trying to pass an array through a GET variable is well... shall we say highly impractical because of the way get variables work. At my place of work we would smack the crap out of anyone trying to pass variables like that. If you want to pass arrays you should pass them using POST variables. BTW, you do know you can mix both POST and GET variables.

And I have passed some very complex arrays through POST variables and they have all worked just fin with the routine I posted. :)

As I said before...

Anyone using something like this array[his%27_room] in a URL for a get variable needs to be royally smacked.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Okay, so you don't have any mysterious bugs relating to messy magic_quotes cleaning, but I have. And the post array was very simple: a simple keypair array. The problem didn't show up all the time: it was arrays that had keys with ' in them that caused problems (and ' is a very common English construct). The problem was POST arrays were not being cleaned properly.

Once again, I don't deny that it's working squeaky clean for you: magic_quotes depends on a variety of system configuration issues. The reason why a comprehensive solution is desirable is so that mysterious bugs don't crop up when you migrate.

And I hear that PHP5 automatically escapes keys regardless of magic_quotes...
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

Ambush Commander wrote:The problem didn't show up all the time: it was arrays that had keys with ' in them that caused problems (and ' is a very common English construct).
Sure it's a common english construct but it should NEVER be used inside an array key. That is just very, very messy programming and definately not a valid method because of all the problems it definately causes.

Code: Select all

$key = "stuff's";
$my_array[$key] = "Junk";
That is very bad form for an array and characters like ' should be stripped out before using it as a key. [shudders] Programming like that makes icy fingers crawl up my back.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

NEVER
NEVER say NEVER :D

I'll tell you my case for using array keys with quotation marks. The ' is a valid, although dubious, character inside filenames. I was working on a file upload system that involved FTP transfers by trusted users into a directory, and then linking them into an application (in this case MediaWiki). Inside the wiki, accurate names are encouraged, and if this means the use of a single quote, so be it. There were actually a lot of files that required apostrophes in their names.

When the user had to use the web interface to link the files in, such as specifying summaries, the simplest way was simply to map the association using an array where the key was the filename, and the value was the configuration files. Other keys would require associating files with IDs or hashes, but these would require lookup tables, and for this sort of task, it seemed like overkill and unnecessary (if not dangerous) complexity.

There was one last possibility, and that would be to, when the page was viewed, to automatically strip single quotes or encode them in an alternative format to fix the problem. Stripping quotes would be a problem because that means that any file with a ' in their name would have to be renamed, and as I mentioned earlier, quite a few songs had 's, so the extra work didn't make much sense.

Encoding them in alternative formats would have been awkward: POST arrays would have to be remapped into the proper keys. Why not simply fix the magic_quotes problem at its root? This would require remapping too, but with the added effect of preventing the bug from ever happening in all other circumstances, however unlikely.

Stress unlikely. Single quotes in your array keys is not very normal fare, and is probably why the less than ideal magic_quotes cleaners have been able to get away with it for so long. But for the sake of security in depth, in case a programmer forgets about this caveat, I find it best to make sure that the superglobal arrays are correctly represented.

I'll get off my soapbox now. Anyone want to help?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

If it works, it will get used...by someone...;) Is there some problem removing the escaping on keys I don't know about? (Besides remapping values to the de-escaped keys in the array etc.)

PHP5 escapes keys regardless of the setting...OMG...not again...
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Is there some problem removing the escaping on keys
Well, knowing when to escape... although I suppose accidently removing backslashes isn't that big of a problem.
PHP5 escapes keys regardless of the setting...OMG...not again...
I'm not really sure what you mean...
If it works, it will get used...by someone...
I'm working on it...
Post Reply