As title. We should support installations where there is poor configuration of IIS/Apache such that you cannot override the default setting of magic_quotes being on. The fewer PHP ini configuration settings we rely on, the better.

Comments

teamonkey’s picture

teamonkey commented

I added the following early on in common.inc. Not sure if that's the best place for it, but it seems to work. Needs testers.

ini_set("magic_quotes_gpc",0); // Just in case you can
if (get_magic_quotes_gpc()==1) {
foreach($HTTP_GET_VARS as $key=>$val)
$HTTP_GET_VARS["$key"] = stripslashes($val);
foreach($HTTP_POST_VARS as $key=>$val)
$HTTP_POST_VARS["$key"] = stripslashes($val);
foreach($HTTP_COOKIE_VARS as $key=>$val)
$HTTP_COOKIE_VARS["$key"] = stripslashes($val);
}

al’s picture

al commented

I think magic quotes also affects database calls. You'll need to quote things appropriately (or at least investigate to make sure that the db astraction layer does all the relevant stuff).

Also, I don't think doing the ini_set is a good idea. The GET/POST values will have been quoted *before* the script actually executes. So if this ini_set actually succeeds and the following line returns false, then it'll mess things up.

teamonkey’s picture

teamonkey commented

magic_quotes_gpc works on GET/POST/COOKIES, magic_quotes_runtime works on database sources. You're allowed to change magic_quotes_runtime at execution time using the funtion set_magic_quotes_runtime(). We should probably add that to make sure.

Good point about ini_set - best to remove it.

killes@www.drop.org’s picture

killes@www.drop.org commented
Component: Base system » base system

Fixed in CVS.