By oak6 on

I cannot turn magic_quotes_gpc off.

I have a virtual host, can't use htaccess and can't alter php.ini.

With slightly older versions of Drupal, I could comment out the check in index.php and everything was fine. Now I've upgraded to CVS and slashes are multiplying whenever a post is changed.

At the moment this makes Drupal unusable. There must be loads of other people in the same situation. What can we do?

Comments

al’s picture

al commented

There's already a feature request for this (I think). One of the problems is probably that most of the developers have access to machines with more control over things than people like you, so they have magic_quotes_gpc off and have little impetus to change things.

This /is/ a big problem. A quick fix might be to edit index.php (or some other file which gets called first at every page view) and create a for each loop to do a stripslashes on the HTTP_POST_VARS and HTTP_GET_VARS arrays.

oak6’s picture

oak6 commented

Tried stripslashes in common.inc and in index.php, but no luck. Maybe there's a better place, but I don't know the files well enough.

porkrind’s picture

porkrind commented

I added the following to index.php:


function stripslashes_array($arr = array()) {
       $rs = array();

 while (list($key,$val) = each($arr)) {
 $rs[$key] = stripslashes($val);
 }

 return $rs;
}

if (get_magic_quotes_gpc())
{
  stripslashes_array($HTTP_GET_VARS);
 stripslashes_array($HTTP_POST_VARS);
  stripslashes_array($HTTP_COOKIE_VARS);
}

In the theme file, I added stripslashes() to whatever was returned by the "check_output" function. There were about 3 or 4 instances in my theme file. That seems to have alleviated the problem. YMMV. If that doesn't work for you, you'll have to look at functions that return output in the files modules/forum.module, modules/node.module, includes/common.inc, and includes/theme.inc.

The idea is that you want to strip slashes from the output, not from data that gets stored in your database, as that could open up some gaping security holes.

Steven’s picture

Steven commented

I'm commenting here because this seems the best result on Google for "magic quotes Drupal". Your method is bad because it doesn't handle nested arrays: this will cause problems with certain configuration screens in Drupal.

A better patch for 4.3 is available on my website (this patch is obsolete in CVS).

oak6’s picture

oak6 commented

Adding the code to index.php and the theme file (stylebox - 5 instances of check_output) fixed the problem when the node is displayed, which is great. However, when a node is edited the slashes show up in the textarea, and are submitted with the edit - the slashes are then multiplied and end up back in the displayed node again.

I had a look through the inc and theme files - tried altering a few places but with no effect - can you give some more clues about which parts might need changing?

UPDATE: Found it in node.module Only local images are allowed.
return stripslashes(form($output, ($param["method"] ? $param["method"] : "post"), $param["action"], $param["options"]));

and the 'function format_rss_item' section of common.inc:
return stripslashes($output);

there are probably more places that'll turn up later Only local images are allowed.