Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
PHP

Journal yintercept's Journal: Stripping Slashes 3

Journal by yintercept
Zend's waffling on features like register globals and magic quotes has made programming more like walking through a minefield than simple scripting. To have the same script run on different servers, the script must detect current settings than act accordingly.

It is not that I have problems with the idea of detecting settings and acting accordingly. It is just that such actions are very inefficient in a scripting language. (It would not be a problem in a compiled language).

Anyway, I am trying to figure out how to write a program for populating a database that would work with MagicQuotes on or off. If this were a compiled language, I would simply write a replacement program for addslashes(). The program would not add slashes if slashes have already been added. Such a scheme would prevent the double slashing affect, but would fail when a person wants to add slashed data to the database. For example, if you were writing documentation for PHP, or were storing PHP code in a database.
This discussion has been archived. No new comments can be posted.

Stripping Slashes More

Stripping Slashes

Comments Filter:
  • Ask PHP:

    get_magic_quotes_runtime(); [php.net]

    Then:

    function escapeIfNeeded($x) {
    if (get_magic_quotes_runtime()) {
    $x=stripslashes($x);
    }
    $x=_insert_your_favorite_escaping_mechanism_here_( $x);
    return $x;
    }

    function fixArray($foo) {
    $bar=array();
    foreach ($foo as $k=>$v) {
    if (is_array($v)) $bar[escapeIfNeeded($k)]=fixArray($v);
    else $bar[escapeIfNeeded($k)]=escapeIfNeeded($v);
    }
    return $bar;
    }

    $_POST=fix

    • Nice code. I like the recursive loop to catch nested arrays.

      What really has me down is the difficulty in testing PHP code to determine which is the most efficient way to detect and respond to magic quotes for a production server. The code will be called hundreds of thousands of times a day. It may be more efficient to test for magic quotes only once, and striptags if the feature is on. This code might look like

      if (get_magic_quotes_runtime()) {
      // loop through $_POST;
      }

      It seems absurd to code that does

      • Re: (Score:2)

        by Qzukk ( 229616 )
        It seems absurd to code that does a stripslashes(addslashes())

        Actually, http://us2.php.net/ini_set [php.net] has a response in the middle somewhere that explains how to use an Apache .htaccess file to override php settings, I'd say distributing a .htaccess file which disables register globals and disables magic quotes would be a good first line of defense, then check to see if its still on and strip the slashes (maybe the installer isn't running apache or doesn't have the right AllowOverride setting, which you would

Slashdot Top Deals

UNIX is hot. It's more than hot. It's steaming. It's quicksilver lightning with a laserbeam kicker. -- Michael Jay Tucker

Close