[imp] backslashes in passwords (again)

Adrian Hosey alh at warhound.org
Wed Aug 20 15:04:59 PDT 2003


On Wed, 20 Aug 2003, Adrian Hosey wrote:
: 
: I still have some people with backslashes in their password who can't
: login. I found this line in imp/lib/IMP.php:
: 
: 152: Auth::setAuth($imp['uniquser'], array('password' => $_POST['pass']));
: 
: So that's going to be bypassing Horde::getFormData() and if
: magic_quotes_gpc is on, $_POST['pass'] will be something like "foo\\bar"
: when the password is really "foo\bar".

Replying to myself. Sorry, it's been a long day.

Anyway, someone is going to yell at me because the FAQ says this:

-=-=-

5.3.10 Email sent from IMP is full of backslashes.

If characters such as ', ", and \ are producing extra backslashes ("\") in
IMP, you probably have one of the following settings in your php.ini (or
php3.ini in PHP version 3):

   magic_quotes_gpc     = on
   magic_quotes_runtime = on
   magic_quotes_sybase  = on

All magic_quotes options must be disabled for IMP. Remember to restart
your web server after changing php.ini settings.

-=-=-

So let me rephrase my question. Is there a reason to use $_POST['pass'] in
the code? Why not use Horde::getFormData() and then this won't be a FAQ
anymore. What if some people are running IMP alongside other PHP
applications that need magic_quotes_gpc to be on?

That's why I'm hesitant to just turn off magic_quotes_gpc. I don't know if
that has implications for other PHP code on the server.

Thanks again,

 - A

-- 
We're currently having what we in the industry like to call "an 
unrequested fission surplus."



More information about the imp mailing list