Commit: 07da9a04b2e17c72f15e74fe984b601a4707b812 Author: Sherif Ramadan <[email protected]> Wed, 26 Dec 2012 15:34:22 -0500 Parents: c2b7b05b1c237ecfd281f7acf5f1e8f908a7205b Branches: master
Link: http://git.php.net/?p=web/master.git;a=commitdiff;h=07da9a04b2e17c72f15e74fe984b601a4707b812 Log: Clean up GPC handling and move everything to undo_magic_quotes function for portability. Changed paths: M entry/user-notes-vote.php M include/functions.inc M manage/user-notes.php Diff: diff --git a/entry/user-notes-vote.php b/entry/user-notes-vote.php index 04cfe54..bcaa62a 100644 --- a/entry/user-notes-vote.php +++ b/entry/user-notes-vote.php @@ -20,21 +20,49 @@ { "status": false, "message": "Invalid request..." } */ +undo_magic_quotes(); + /* - - Since filter.default is 'magic_quotes' I'm reverting to filter_input with FILTER_UNSAFE_RAW as this was the original - assumption underwhich this code was written. The code continues to use mysql_real_escape_string as opposed to - relying on magic_quotes and the addslashes/strip dependencies were removed entirely from this code. - - This remains to be portable whether magic_quotes is set as filter.default or not. - - Please use hscr() as opposed to clean() and real_clean() as opposed to escape(). + This function will revert the GPCRS superglobals to their raw state if the default.filter/magic_quotes is on. + Please do not use this function unless your code has no dependency on magic_quotes and is properly escaping data. */ -foreach($_GET as $key => $val) $_GET[$key] = filter_input(INPUT_GET,$key,FILTER_UNSAFE_RAW); -foreach($_POST as $key => $val) $_POST[$key] = filter_input(INPUT_POST,$key,FILTER_UNSAFE_RAW); -foreach($_COOKIE as $key => $val) $_COOKIE[$key] = filter_input(INPUT_COOKIE,$key,FILTER_UNSAFE_RAW); -foreach($_POST as $key => $val) $_REQUEST[$key] = filter_input(INPUT_POST,$key,FILTER_UNSAFE_RAW); -foreach($_GET as $key => $val) $_REQUEST[$key] = filter_input(INPUT_GET,$key,FILTER_UNSAFE_RAW); -foreach($_SERVER as $key => $val) $_SERVER[$key] = filter_input(INPUT_SERVER,$key,FILTER_UNSAFE_RAW); - - +function undo_magic_quotes() { + if (!empty($_POST)) { + $args = array(); + foreach ($_POST as $key => $val) $args[$key] = array('filter' => FILTER_UNSAFE_RAW, 'flags' => is_array($val) ? + FILTER_REQUIRE_ARRAY : FILTER_REQUIRE_SCALAR); + $_POST = filter_input_array(INPUT_POST, $args); + $_REQUEST = filter_input_array(INPUT_POST, $args); + } + if (!empty($_GET)) { + $args = array(); + foreach ($_GET as $key => $val) $args[$key] = array('filter' => FILTER_UNSAFE_RAW, 'flags' => is_array($val) ? + FILTER_REQUIRE_ARRAY : FILTER_REQUIRE_SCALAR); + $_GET = filter_input_array(INPUT_GET, $args); + $_REQUEST += filter_input_array(INPUT_GET, $args); + } + if (!empty($_COOKIE)) { + $args = array(); + foreach ($_COOKIE as $key => $val) $args[$key] = array('filter' => FILTER_UNSAFE_RAW, 'flags' => is_array($val) ? + FILTER_REQUIRE_ARRAY : FILTER_REQUIRE_SCALAR); + $_COOKIE = filter_input_array(INPUT_COOKIE, $args); + $_REQUEST += filter_input_array(INPUT_COOKIE, $args); + } + if (!empty($_SERVER)) { + $args = array(); + $append = array(); + foreach ($_SERVER as $key => $val) { + if ($key == 'REQUEST_TIME' || $key == 'REQUEST_TIME_FLOAT') { + $append[$key] = $val; + continue; + } + $args[$key] = array('filter' => FILTER_UNSAFE_RAW, 'flags' => is_array($val) ? + FILTER_REQUIRE_ARRAY : FILTER_REQUIRE_SCALAR); + } + $_SERVER = filter_input_array(INPUT_SERVER, $args); + $_SERVER += $append; + } +} // Validate that the request to vote on a user note is OK (ip limits, post variables, and db info must pass validation) function vote_validate_request(PDO $dbh) { diff --git a/include/functions.inc b/include/functions.inc index acf3adb..7885478 100644 --- a/include/functions.inc +++ b/include/functions.inc @@ -252,3 +252,50 @@ function get_extension_info($mirror_hostname,$ext=null) { // We use markdown for people profiles include_once dirname(__FILE__) . '/../vendor/michelf/php-markdown-extra/markdown.php'; + + +// ----------------------------------------------------------------------------------- + +/* + This function will revert the GPCRS superglobals to their raw state if the default.filter/magic_quotes is on. + Please do not use this function unless your code has no dependency on magic_quotes and is properly escaping data. +*/ +function undo_magic_quotes() { + if (!empty($_POST)) { + $args = array(); + foreach ($_POST as $key => $val) $args[$key] = array('filter' => FILTER_UNSAFE_RAW, 'flags' => is_array($val) ? + FILTER_REQUIRE_ARRAY : FILTER_REQUIRE_SCALAR); + $_POST = filter_input_array(INPUT_POST, $args); + $_REQUEST = filter_input_array(INPUT_POST, $args); + } + if (!empty($_GET)) { + $args = array(); + foreach ($_GET as $key => $val) $args[$key] = array('filter' => FILTER_UNSAFE_RAW, 'flags' => is_array($val) ? + FILTER_REQUIRE_ARRAY : FILTER_REQUIRE_SCALAR); + $_GET = filter_input_array(INPUT_GET, $args); + $_REQUEST += filter_input_array(INPUT_GET, $args); + } + if (!empty($_COOKIE)) { + $args = array(); + foreach ($_COOKIE as $key => $val) $args[$key] = array('filter' => FILTER_UNSAFE_RAW, 'flags' => is_array($val) ? + FILTER_REQUIRE_ARRAY : FILTER_REQUIRE_SCALAR); + $_COOKIE = filter_input_array(INPUT_COOKIE, $args); + $_REQUEST += filter_input_array(INPUT_COOKIE, $args); + } + if (!empty($_SERVER)) { + $args = array(); + $append = array(); + foreach ($_SERVER as $key => $val) { + if ($key == 'REQUEST_TIME' || $key == 'REQUEST_TIME_FLOAT') { + $append[$key] = $val; + continue; + } + $args[$key] = array('filter' => FILTER_UNSAFE_RAW, 'flags' => is_array($val) ? + FILTER_REQUIRE_ARRAY : FILTER_REQUIRE_SCALAR); + } + $_SERVER = filter_input_array(INPUT_SERVER, $args); + $_SERVER += $append; + } +} + +// ----------------------------------------------------------------------------------- diff --git a/manage/user-notes.php b/manage/user-notes.php index b5b6272..f05511d 100644 --- a/manage/user-notes.php +++ b/manage/user-notes.php @@ -7,22 +7,7 @@ include '../include/email-validation.inc'; include '../include/note-reasons.inc'; //require_once 'alert_lib.inc'; // remove comment if alerts are needed -/* - - Since filter.default is 'magic_quotes' I'm reverting to filter_input with FILTER_UNSAFE_RAW as this was the original - assumption underwhich this code was rewritten. The code continues to use mysql_real_escape_string as opposed to - relying on magic_quotes and the addslashes/strip dependencies were removed entirely from this code. - - This remains to be portable whether magic_quotes is set as filter.default or not. - - Please use hscr() as opposed to clean() and real_clean() as opposed to escape(). -*/ -foreach($_GET as $key => $val) $_GET[$key] = filter_input(INPUT_GET,$key,FILTER_UNSAFE_RAW); -$args = array(); -foreach($_POST as $key => $val) $args[$key] = array('filter' => FILTER_UNSAFE_RAW, 'flags' => is_array($val) ? FILTER_REQUIRE_ARRAY : FILTER_REQUIRE_SCALAR); -$_POST = filter_input_array(INPUT_POST, $args); -unset($args); -foreach($_COOKIE as $key => $val) $_COOKIE[$key] = filter_input(INPUT_COOKIE,$key,FILTER_UNSAFE_RAW); -foreach($_POST as $key => $val) $_REQUEST[$key] = filter_input(INPUT_POST,$key,FILTER_UNSAFE_RAW); -foreach($_GET as $key => $val) $_REQUEST[$key] = filter_input(INPUT_GET,$key,FILTER_UNSAFE_RAW); -foreach($_SERVER as $key => $val) $_SERVER[$key] = filter_input(INPUT_SERVER,$key,FILTER_UNSAFE_RAW); +undo_magic_quotes(); define("NOTES_MAIL", "[email protected]"); define("PHP_SELF", hsc($_SERVER['PHP_SELF'])); -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
