[dev] Proposal: replace most dispelMagicQuotes() usage with a single filter in core.php?

Jan Schneider jan at horde.org
Sat Jan 27 02:02:26 PST 2007


Zitat von Chuck Hagenbuch <chuck at horde.org>:

> Similar to the register_globals protection that we have in core.php,  
> what if we did all magic quotes un-escaping there instead of on  
> every call to getFormData?

That doesn't look right to me. It makes much more sense to me to have  
that inside a framework class/method than in a single place. core.php  
is loaded for all of our apps, but not if you use the framework  
classes separately.
If it was an expensive method, that would be a good reason, but it isn't.

> Something like this (from one of Ilia's presentations):
>
> if (get_magic_quotes_gpc()) {
>   $in = array(&$_GET, &$_POST, &$_COOKIE);
>   while (list($k,$v) = each($in)) {
>     foreach ($v as $key => $val) {
>       if (!is_array($val)) {
>          $in[$k][$key] = stripslashes($val); continue;
>       }
>       $in[] =& $in[$k][$key];
>     }
>   }
>   unset($in);
> }
>
>
> Also, I notice that $_SESSION is missing from the register globals  
> protection - any specific reason why?

Probably because we don't need to "protect" from them because they  
can't be set from the user. Given that we already had two problems  
with variable name clashing due to register_globals and $_SESSION,  
this might still be a good idea, but since core.php is loaded before  
the session is started, that wouldn't help anyway.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/



More information about the dev mailing list