SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Enthusiast andygout's Avatar
    Join Date
    Jun 2012
    Location
    London, United Kingdom, United Kingdom
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Magic quotes not disabled when passing variable via session

    I am having a problem with magic quotes being disabled when passing and outputting a variable via a session (although magic_quotes are successfully disabled the rest of the time). I am using PHP Version 5.4.3.

    Magicquotes (I’ve added the last line re. $_SESSION given that’s what the variable is being passed through, although it was not mentioned in Kevin Yank’s book):-
    PHP Code:
    <?php
    if (get_magic_quotes_gpc())
    {
        function 
    stripslashes_deep($value)
        {
            
    $value is_array($value) ?
                
    array_map('stripslashes_deep'$value) :
                
    stripslashes($value);
            
            return 
    $value;
        }
        
        
    $_POST array_map('stripslashes_deep'$_POST);
        
    $_GET array_map('stripslashes_deep'$_GET);
        
    $_COOKIE array_map('stripslashes_deep'$_COOKIE);
        
    $_REQUEST array_map('stripslashes_deep'$_REQUEST);
        
    $_SESSION array_map('stripslashes_deep'$_SESSION);
    }
    ?>
    Controller ($attraction_name is entered into database so must first be sanitized) (excerpts):-
    PHP Code:
    include_once $_SERVER['DOCUMENT_ROOT'] . '/includes/magicquotes.inc.php';

    $attraction_name mysqli_real_escape_string($link$_POST['attraction_name']);

    session_start();
    $_SESSION['message'] = 'THIS ATTRACTION HAS BEEN EDITED:' ' ' $attraction_name;
    header('Location:  . ');
    exit(); 
    Display page:-
    PHP Code:
    <?php session_start(); if (isset($_SESSION['message'])) { echo $_SESSION['message']; unset($_SESSION['message']); } ?>
    If the variable passed through is ‘St Paul’s Cathedral’, then it will output:-
    THIS ATTRACTION HAS BEEN EDITED: St. Paul\’s Cathedral
    I have also tried creating a variable (having first applied htmlspecialchars) specifically to be output as the session message and using that instead (also to no avail):-
    PHP Code:
    $attraction_name_session htmlspecialchars($attraction_nameENT_QUOTES‘UTF-8’); 
    And passing the below (while it has none of the above problems) would leave it open to hackers given the attraction_name is to be input by users.
    PHP Code:
    $_POST[‘attraction_name’]; 
    Any ideas?

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,603
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    PHP 5.4 doesn't even support magic quotes so all your code relating to them is unnecessary and should be removed.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •