magic_quotes and other evils

Well, it seems that as the development of the learning platform trundles to it’s conclusion, I’m forced to look back at what has been done so far and say, “Bugger”.

Half way through the development I switched my development server from Linux to Windows, and unknown to me started using a server that had magic_quotes_gpc = on in the php.ini file.

What does that mean?

I wouldn’t have worried about it too much, really if it hadn’t been for the minutes from the PHP6 developer’s meeting which basically say that magic_quotes_gpc is out. It’s caused too much grief for developers and migration issues. I can see the point. It was very handy for preventing SQL injection easily, but then that’s no replacement for secure code.

So because I’ve gone through the code fixing errors where there weren’t actually any to begin with (due to manually working against escaping characters), now I must go through the code again to ensure that the code is working properly without magic quotes!

Also, I have had to implement two new functions from the PHP manual to ensure that magic_quotes will not upset the code in the future.

Here’s the code:

<code>
< ? php
function stripslashes_deep($value)
{
   return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value));
}

if (get_magic_quotes_gpc())
{
   $_GET    = array_map('stripslashes_deep', $_GET);
   $_POST  = array_map('stripslashes_deep', $_POST);
   $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
?>
</code>

By trying to run stripslashes on the array itself (if there is one), you destroy any keys and arrays that are passed through. If you rely on this, then you will wreck your code.

So, just run the script at the start of each page, and you should be okay.