| 2009-03-24 13:17:53 |
Anthony Bush |
description |
I'm working on a couple of platforms (local testing on a mac, stage at my own provider, live/livetest at a friends provider). Some of these platforms have magic_quotes_gpc set, others don't. I've tried to switch magic_quotes_gpc off, but have not had any luck; I'm beginning to suspect that it is not allowed.
As I've read the code, and what I've seen of the database, CoughPHP handles magic_quotes_gpc by calling stripslashes if appropriate in As_Database::escape.
Now, what I'm trying to do is set a field from a form, save the object, then later get the field from the form. ($user->setNotes($_POST["notes"]); $user->save(); $notes = $user->setNotes(); in simplified form) The result of the get will, in this case, not have been stripslashed. However, if another code path is taken, where the object is loaded from the database, then we get the field, the result of the get will have been stripslashed.
On the other hand, if I stripslash the argument to setNotes myself, it will be stripslashed twice before it reaches the database. Not good, either.
Come to think of it, how does CoughPHP 'know' that the value of the field comes from Get/Post/Cookie? What if I set my field to a hardcoded value? ($user->setNotes("\\\"");, to set it to backslash-quotes) Then I will have to change my hardcoded value depending on if magic_quotes_gpc is set? Or if I set my field to a field from another object? Then I will have to slashify the value if magic_quotes_gpc is set?
What is the suggested approach to dealing with magic_quotes_gpc when using CoughPHP? I'd almost go so far as to suggest that CoughPHP should not try to handle magic_quotes_gpc, and leave it up to the programmer using CoughPHP. |
CoughPHP handles magic_quotes_gpc by calling stripslashes if appropriate in As_Database::escape.
There are a couple of different issues (all of which only occur when magic_quotes_gpc is on):
1. What you set and save doesn't get returned in the get:
$user->setNotes($_POST["notes"]);
$user->save();
$notes = $user->getNotes();
The result of the get will not have been stripslashed. However, if another code path is taken, where the object is loaded from the database, then we get the field, the result of the get will have been stripslashed.
Workaround is to re-pull the object from the DB after saving it (which you may already be doing if you're using the Post/Redirect/Get pattern).
2. CoughPHP does not know if the value comes from Get/Post/Cookie and will incorrectly stripslashes on values that do not come from those sources.
Workaround (assuming you can't turn off magic_quotes_gpc) is to addslashes if magic_quotes_gpc is on:
if (get_magic_quotes_gpc()) {
$value = addslashes($value);
}
|
|
