[dev] Proposal: replace most dispelMagicQuotes() usage with a single filter in core.php?
Jan Schneider
jan at horde.org
Sat Jan 27 02:02:26 PST 2007
Zitat von Chuck Hagenbuch <chuck at horde.org>:
> Similar to the register_globals protection that we have in core.php,
> what if we did all magic quotes un-escaping there instead of on
> every call to getFormData?
That doesn't look right to me. It makes much more sense to me to have
that inside a framework class/method than in a single place. core.php
is loaded for all of our apps, but not if you use the framework
classes separately.
If it was an expensive method, that would be a good reason, but it isn't.
> Something like this (from one of Ilia's presentations):
>
> if (get_magic_quotes_gpc()) {
> $in = array(&$_GET, &$_POST, &$_COOKIE);
> while (list($k,$v) = each($in)) {
> foreach ($v as $key => $val) {
> if (!is_array($val)) {
> $in[$k][$key] = stripslashes($val); continue;
> }
> $in[] =& $in[$k][$key];
> }
> }
> unset($in);
> }
>
>
> Also, I notice that $_SESSION is missing from the register globals
> protection - any specific reason why?
Probably because we don't need to "protect" from them because they
can't be set from the user. Given that we already had two problems
with variable name clashing due to register_globals and $_SESSION,
this might still be a good idea, but since core.php is loaded before
the session is started, that wouldn't help anyway.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the dev
mailing list