Handling of magic_quotes_gpc is wrong
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| CoughPHP |
Confirmed
|
High
|
Anthony Bush | ||
| 1.3 |
Won't Fix
|
Undecided
|
Unassigned | ||
| 1.4 |
Fix Committed
|
High
|
Anthony Bush | ||
Bug Description
CoughPHP handles magic_quotes_gpc by calling stripslashes if appropriate in As_Database:
There are a couple of different issues (all of which only occur when magic_quotes_gpc is on):
1. What you set and save doesn't get returned in the get:
$user-
$user->save();
$notes = $user->getNotes();
The result of the get will not have been stripslashed. However, if another code path is taken, where the object is loaded from the database, then we get the field, the result of the get will have been stripslashed.
Workaround is to re-pull the object from the DB after saving it (which you may already be doing if you're using the Post/Redirect/Get pattern).
2. CoughPHP does not know if the value comes from Get/Post/Cookie and will incorrectly stripslashes on values that do not come from those sources.
Workaround (assuming you can't turn off magic_quotes_gpc) is to addslashes if magic_quotes_gpc is on:
if (get_magic_
$value = addslashes($value);
}
Related branches
| Changed in coughphp: | |
| assignee: | nobody → awbush |
| importance: | Undecided → High |
| milestone: | none → 1.4 |
| status: | New → Confirmed |
| description: | updated |
| Anthony Bush (awbush) wrote | #1 |
Keep in mind as_database is being removed, and as_database2 will be used going forward which has no escape function (the quote function takes care of escaping directly).