Handling of magic_quotes_gpc is wrong

Bug #347901 reported by Anthony Bush
Affects Status Importance Assigned to Milestone
Anthony Bush
Won't Fix
Fix Committed
Anthony Bush

Bug Description

CoughPHP handles magic_quotes_gpc by calling stripslashes if appropriate in As_Database::escape.

There are a couple of different issues (all of which only occur when magic_quotes_gpc is on):

1. What you set and save doesn't get returned in the get:

 $notes = $user->getNotes();

The result of the get will not have been stripslashed. However, if another code path is taken, where the object is loaded from the database, then we get the field, the result of the get will have been stripslashed.

Workaround is to re-pull the object from the DB after saving it (which you may already be doing if you're using the Post/Redirect/Get pattern).

2. CoughPHP does not know if the value comes from Get/Post/Cookie and will incorrectly stripslashes on values that do not come from those sources.

Workaround (assuming you can't turn off magic_quotes_gpc) is to addslashes if magic_quotes_gpc is on:

 if (get_magic_quotes_gpc()) {
  $value = addslashes($value);

Related branches

Anthony Bush (awbush)
Changed in coughphp:
assignee: nobody → awbush
importance: Undecided → High
milestone: none → 1.4
status: New → Confirmed
Anthony Bush (awbush)
description: updated
Revision history for this message
Anthony Bush (awbush) wrote :

Keep in mind as_database is being removed, and as_database2 will be used going forward which has no escape function (the quote function takes care of escaping directly).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.