I think I may have found a slightly nicer (and safer) solution than I've previously found to the problem of the PHP's magic_quotes_gpc. When you're converting old applications you don't want to just replace all the addslashes() with a conditional escaping method. Or just unquote all your form input on the assumption that the programmer was sensible. Your input won't necessarily come from forms or cookies, so that might reduce your security. You still want to escape everything that goes into the function, but maybe you want run stripslashes() on it first if you think it's probably GPC data and magic quoting is turned on.
<?php
function gpc_escape($str) {
if(1 == get_magic_quotes_gpc()) {
return mysql_escape_string(stripslashes($str));
}
else {
return mysql_escape_string($str);
}
}
?>
Then you can do something like:
$ find . -name *.php | xargs perl -pi -e 's/addslashes/gpc_escape/g'
Comments
No comments yet.
Leave a comment