Handling of magic_quotes_gpc is wrong

Bug #347901 reported by Anthony Bush on 2009-03-24
6
Affects Status Importance Assigned to Milestone
CoughPHP
High
Anthony Bush
1.3
Undecided
Unassigned
1.4
High
Anthony Bush

Bug Description

CoughPHP handles magic_quotes_gpc by calling stripslashes if appropriate in As_Database::escape.

There are a couple of different issues (all of which only occur when magic_quotes_gpc is on):

1. What you set and save doesn't get returned in the get:

 $user->setNotes($_POST["notes"]);
 $user->save();
 $notes = $user->getNotes();

The result of the get will not have been stripslashed. However, if another code path is taken, where the object is loaded from the database, then we get the field, the result of the get will have been stripslashed.

Workaround is to re-pull the object from the DB after saving it (which you may already be doing if you're using the Post/Redirect/Get pattern).

2. CoughPHP does not know if the value comes from Get/Post/Cookie and will incorrectly stripslashes on values that do not come from those sources.

Workaround (assuming you can't turn off magic_quotes_gpc) is to addslashes if magic_quotes_gpc is on:

 if (get_magic_quotes_gpc()) {
  $value = addslashes($value);
 }

Related branches

Anthony Bush (awbush) on 2009-03-24
Changed in coughphp:
assignee: nobody → awbush
importance: Undecided → High
milestone: none → 1.4
status: New → Confirmed
Anthony Bush (awbush) on 2009-03-24
description: updated
Anthony Bush (awbush) wrote :

Keep in mind as_database is being removed, and as_database2 will be used going forward which has no escape function (the quote function takes care of escaping directly).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions