[imp] backslashes in passwords (again)

Jan Schneider jan at horde.org
Wed Aug 20 15:25:55 PDT 2003


Zitat von Adrian Hosey <alh at warhound.org>:

> On Wed, 20 Aug 2003, Adrian Hosey wrote:
> :
> : I still have some people with backslashes in their password who can't
> : login. I found this line in imp/lib/IMP.php:
> :
> : 152: Auth::setAuth($imp['uniquser'], array('password' =>
> $_POST['pass']));
> :
> : So that's going to be bypassing Horde::getFormData() and if
> : magic_quotes_gpc is on, $_POST['pass'] will be something like
> "foo\\bar"
> : when the password is really "foo\bar".
>
> Replying to myself. Sorry, it's been a long day.
>
> Anyway, someone is going to yell at me because the FAQ says this:
>
> -=-=-
>
> 5.3.10 Email sent from IMP is full of backslashes.
>
> If characters such as ', ", and \ are producing extra backslashes ("\")
> in
> IMP, you probably have one of the following settings in your php.ini (or
> php3.ini in PHP version 3):
>
>    magic_quotes_gpc     = on
>    magic_quotes_runtime = on
>    magic_quotes_sybase  = on
>
> All magic_quotes options must be disabled for IMP. Remember to restart
> your web server after changing php.ini settings.
>
> -=-=-
>
> So let me rephrase my question. Is there a reason to use $_POST['pass']
> in the code?

To not allow people to access redirect.php with something like
redirect.php?user=foo&pass=bar.

Horde::dispelMagicQuotes() should be used though.

> Why not use Horde::getFormData() and then this won't be a FAQ
> anymore. What if some people are running IMP alongside other PHP
> applications that need magic_quotes_gpc to be on?

Then that's a really badly written application.

> That's why I'm hesitant to just turn off magic_quotes_gpc. I don't know
> if
> that has implications for other PHP code on the server.

Jan.

--
http://www.horde.org - The Horde Project
http://www.ammma.de - discover your knowledge
http://www.tip4all.de - Deine private Tippgemeinschaft


More information about the imp mailing list