[imp] backslashes in passwords (again)
Jan Schneider
jan at horde.org
Wed Aug 20 15:25:55 PDT 2003
Zitat von Adrian Hosey <alh at warhound.org>:
> On Wed, 20 Aug 2003, Adrian Hosey wrote:
> :
> : I still have some people with backslashes in their password who can't
> : login. I found this line in imp/lib/IMP.php:
> :
> : 152: Auth::setAuth($imp['uniquser'], array('password' =>
> $_POST['pass']));
> :
> : So that's going to be bypassing Horde::getFormData() and if
> : magic_quotes_gpc is on, $_POST['pass'] will be something like
> "foo\\bar"
> : when the password is really "foo\bar".
>
> Replying to myself. Sorry, it's been a long day.
>
> Anyway, someone is going to yell at me because the FAQ says this:
>
> -=-=-
>
> 5.3.10 Email sent from IMP is full of backslashes.
>
> If characters such as ', ", and \ are producing extra backslashes ("\")
> in
> IMP, you probably have one of the following settings in your php.ini (or
> php3.ini in PHP version 3):
>
> magic_quotes_gpc = on
> magic_quotes_runtime = on
> magic_quotes_sybase = on
>
> All magic_quotes options must be disabled for IMP. Remember to restart
> your web server after changing php.ini settings.
>
> -=-=-
>
> So let me rephrase my question. Is there a reason to use $_POST['pass']
> in the code?
To not allow people to access redirect.php with something like
redirect.php?user=foo&pass=bar.
Horde::dispelMagicQuotes() should be used though.
> Why not use Horde::getFormData() and then this won't be a FAQ
> anymore. What if some people are running IMP alongside other PHP
> applications that need magic_quotes_gpc to be on?
Then that's a really badly written application.
> That's why I'm hesitant to just turn off magic_quotes_gpc. I don't know
> if
> that has implications for other PHP code on the server.
Jan.
--
http://www.horde.org - The Horde Project
http://www.ammma.de - discover your knowledge
http://www.tip4all.de - Deine private Tippgemeinschaft
More information about the imp
mailing list