removing slashes from magic quotes gpc

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

removing slashes from magic quotes gpc

Post by s.dot »

It's still necessary to make code portable and account for those setups which have magic quotes gpc enabled. I've been using this function for.. who knows how long. But perhaps it could be improved? I also offer it to share with other folks.

True definition of a snippet. =] I include it in a page that gets included on every page (like a db_connect.php or something). Probably should find a setup that allows for it to be in a permanent location.

Code: Select all

if (get_magic_quotes_gpc())
{
    $gpc = array('_GET', '_POST', '_COOKIE');
    
    foreach ($gpc AS $sg)
    {
        if (!empty(${$sg}))
        {
            foreach (${$sg} AS $k => $v)
            {
                ${$sg}[$k] = stripslashes($v);
            }
        }
    }
}
Last edited by Weirdan on Sat Apr 19, 2008 10:32 am, edited 1 time in total.
Reason: php tags
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I think feyd posted a non-recursive array tree walker somewhere here that works for this.
(#10850)
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

I would rather just use a .htaccess file.

Code: Select all

php_value register_globals 0
php_value magic_quotes_gpc 0
Saves the overhead of trying to have php fix the problem during execution.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Zoxive wrote:I would rather just use a .htaccess file.

Saves the overhead of trying to have php fix the problem during execution.
It's hardly any overhead at all, and applications that require the use of GPC data (such as frameworks and CMS apps), it's good to handle it within the application so that it can be used on any server (even non-Apache servers) without worry.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

You can optimize it a bit:

Code: Select all

if (get_magic_quotes_gpc())
    foreach(array('_GET','_POST','_COOKIE') AS $sg)
    {
        if (!empty(${$sg}))
           ${$sg} = array_map("stripslashes",${$sg});
    }
}
Last edited by Weirdan on Sat Apr 19, 2008 10:34 am, edited 1 time in total.
Reason: php tags
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

And what if there is array in this $_POST ?

Code: Select all

 
if (get_magic_quotes_gpc()) {
 
    $in = array(&$_GET, &$_POST, &$_COOKIE);
 
    while (list($k,$v) = each($in)) {
 
        foreach ($v as $key => $val) {
 
            if (!is_array($val)) {
 
                $in[$k][$key] = stripslashes($val);
 
                continue;
 
            }
 
            $in[] =& $in[$k][$key];
 
        }
 
    }
 
    unset($in);
 
}
 
Last edited by Weirdan on Sat Apr 19, 2008 10:35 am, edited 1 time in total.
Reason: php tags
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

& what if there is a 2-d array? Good point though - I'm sure the solution will involve either recursion or passing-by-reference somehow - but it's too early in the morning for me to think it through :roll: :wink:
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

This is why feyd posted the non-recursive array walker for this.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

A little early more meet to do a mental diff. what is the difference between jmut's and feyd's? Can we decide on a definitive solution?
(#10850)
User avatar
seppo0010
Forum Commoner
Posts: 47
Joined: Wed Oct 24, 2007 4:13 pm
Location: Buenos Aires, Argentina

Post by seppo0010 »

One other think to keep in mind is that if we have a multilevel array, the keys are also escaped. For example,

URL: test.php?a'b[c'd][e'f]=1'2
With magic quotes

Code: Select all

 
array(1) {
  ["a\'b"]=>
  array(1) {
    ["c\'d"]=>
    array(1) {
      ["e\'f"]=>
      string(4) "1\'2"
    }
  }
}
 
Without magic quotes

Code: Select all

 
array(1) {
  ["a'b"]=>
  array(1) {
    ["c'd"]=>
    array(1) {
      ["e'f"]=>
      string(3) "1'2"
    }
  }
}
 
I propose as solution

Code: Select all

 
 
function stripslashes_deep($array) {
    return is_array($array) ? (count($array) > 0 ? array_combine(array_map('stripslashes_deep', array_keys($array)), array_map('stripslashes_deep', array_values($array))) : array()) : stripslashes($array);
}
 
$_GET = stripslashes_deep($_GET);
$_POST = stripslashes_deep($_POST);
$_COOKIE = stripslashes_deep($_COOKIE);
 
Last edited by Weirdan on Sat Apr 19, 2008 10:37 am, edited 1 time in total.
Reason: php tags
georgeoc
Forum Contributor
Posts: 166
Joined: Wed Aug 09, 2006 4:21 pm
Location: London, UK

Post by georgeoc »

Jenk wrote:This is why feyd posted the non-recursive array walker for this.
Could you remind me where that is please? I've been looking for it for a while!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

georgeoc wrote:Could you remind me where that is please? I've been looking for it for a while!
I believe Jenk was referring to my replies in ~scottayy's directory tree thread found in Snippets or Critique.
georgeoc
Forum Contributor
Posts: 166
Joined: Wed Aug 09, 2006 4:21 pm
Location: London, UK

Post by georgeoc »

Thanks feyd - that's the one.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

seppo0010:
while I agree keys is good ot be escaped...in my opinion it is totally up to dev for this to cause problem..meaning who will ever want to use
such weird keys...and if passed with form spoof...they are just not used anyway....
Thats why I think this is not necessary...but I could be missing good reason ot espcape keys too.
samb0057
Forum Commoner
Posts: 27
Joined: Wed Mar 26, 2008 9:51 am

Re: removing slashes from magic quotes gpc

Post by samb0057 »

~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.


Recursive function

Code: Select all

if (version_compare(phpversion(), 6) === -1) {
    if (get_magic_quotes_gpc()) {
        function stripinputslashes(&$input) {
            if (is_array($input)) {
                foreach ($input as $key => $value) {
                    $input[$key] = stripinputslashes($value);
                }
            }
            else {
                $input = stripslashes($input);
            }
            return true;
        }
        array_walk_recursive($_GET, 'stripinputslashes');
        array_walk_recursive($_POST, 'stripinputslashes');
        array_walk_recursive($_REQUEST, 'stripinputslashes');
    }
}

~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.
Post Reply