Working with magic_quotes_gpc set.

Asked by Johannes Keukelaar on 2009-03-22

I'm working on a couple of platforms (local testing on a mac, stage at my own provider, live/livetest at a friends provider). Some of these platforms have magic_quotes_gpc set, others don't. I've tried to switch magic_quotes_gpc off, but have not had any luck; I'm beginning to suspect that it is not allowed.

As I've read the code, and what I've seen of the database, CoughPHP handles magic_quotes_gpc by calling stripslashes if appropriate in As_Database::escape.

Now, what I'm trying to do is set a field from a form, save the object, then later get the field from the form. ($user->setNotes($_POST["notes"]); $user->save(); $notes = $user->setNotes(); in simplified form) The result of the get will, in this case, not have been stripslashed. However, if another code path is taken, where the object is loaded from the database, then we get the field, the result of the get will have been stripslashed.

On the other hand, if I stripslash the argument to setNotes myself, it will be stripslashed twice before it reaches the database. Not good, either.

Come to think of it, how does CoughPHP 'know' that the value of the field comes from Get/Post/Cookie? What if I set my field to a hardcoded value? ($user->setNotes("\\\"");, to set it to backslash-quotes) Then I will have to change my hardcoded value depending on if magic_quotes_gpc is set? Or if I set my field to a field from another object? Then I will have to slashify the value if magic_quotes_gpc is set?

What is the suggested approach to dealing with magic_quotes_gpc when using CoughPHP? I'd almost go so far as to suggest that CoughPHP should not try to handle magic_quotes_gpc, and leave it up to the programmer using CoughPHP.

Question information

English Edit question
CoughPHP Edit question
No assignee Edit question
Solved by:
Anthony Bush
Last query:
Last reply:
Best Anthony Bush (awbush) said : #1


Thanks for your question. This is an issue I'd love to resolve but have been unsure of the best way. CoughPHP doesn't know that the value comes from GPC which, as you pointed out, causes problems when trying to save data from a non-GPC source with magic_quotes_gpc turned on.

Best practice is to make sure magic_quotes_gpc is turned off and then this becomes a non-issue.

However, I think you are correct, and we can safely remove CoughPHP's (well As_Database::escape's) handling of magic_quotes_gpc leaving this to the developer. If they forget to handle it in an environment with magic_quotes_gpc turned on the worse case should merely be extra slashes being stored to the database (which could be corrected after the fact).

This is an easy change and I'll push for it to go in the 1.4 release. This should also make the escape/quote functions in the new 1.4 DAL (multi-DB engine support) easier to write as they won't all have to perform this check.

Thanks Anthony Bush, that solved my question.