From ac5b4b0a95382a3cc19c81089a4e9ca5ff291704 Mon Sep 17 00:00:00 2001 From: Chris Morgan Date: Mon, 26 Jun 2006 00:44:44 +0000 Subject: [PATCH] Warn if magic quotes is enabled and explain a bit about why we require that magic quotes be disabled. Also remove all of the conditional code that was working around cases where we had magic quotes enabled. We were only working around a small portion of cases where magic quotes was affecting the appdb. --- include/application.php | 31 ++++++++--------------------- include/distributions.php | 14 +++---------- include/incl.php | 21 ++++++++++++++++++++ include/testResults.php | 41 ++++++++++++--------------------------- include/version.php | 31 +++++++---------------------- 5 files changed, 51 insertions(+), 87 deletions(-) diff --git a/include/application.php b/include/application.php index ff66bca..bf6fa47 100644 --- a/include/application.php +++ b/include/application.php @@ -450,10 +450,7 @@ class Application { echo 'Application description',"\n"; echo '

',"\n"; - else - echo $this->sDescription.'

',"\n"; + echo $this->sDescription.'

',"\n"; echo "\n"; @@ -505,25 +502,13 @@ class Application { $aClean['appWebpage'] = makeSafe($_REQUEST['appWebpage']); $aClean['appKeywords'] = makeSafe($_REQUEST['appKeywords']); - if(get_magic_quotes_gpc()) - { - $this->iAppId = stripslashes($aClean['appId']); - $this->sName = stripslashes($aClean['appName']); - $this->sDescription = stripslashes($aClean['appDescription']); - $this->iCatId = stripslashes($aClean['appCatId']); - $this->iVendorId = stripslashes($aClean['appVendorId']); - $this->sWebpage = stripslashes($aClean['appWebpage']); - $this->sKeywords = stripslashes($aClean['appKeywords']); - } else - { - $this->iAppId = $aClean['appId']; - $this->sName = $aClean['appName']; - $this->sDescription = $aClean['appDescription']; - $this->iCatId = $aClean['appCatId']; - $this->iVendorId = $aClean['appVendorId']; - $this->sWebpage = $aClean['appWebpage']; - $this->sKeywords = $aClean['appKeywords']; - } + $this->iAppId = $aClean['appId']; + $this->sName = $aClean['appName']; + $this->sDescription = $aClean['appDescription']; + $this->iCatId = $aClean['appCatId']; + $this->iVendorId = $aClean['appVendorId']; + $this->sWebpage = $aClean['appWebpage']; + $this->sKeywords = $aClean['appKeywords']; } /* display this application */ diff --git a/include/distributions.php b/include/distributions.php index cb4fdc7..4cd073a 100644 --- a/include/distributions.php +++ b/include/distributions.php @@ -367,17 +367,9 @@ class distribution{ $aClean['sName'] = makeSafe($_REQUEST['sName']); $aClean['sUrl'] = makeSafe($_REQUEST['sUrl']); - if(get_magic_quotes_gpc()) - { - $this->iDistributionId = stripslashes($aClean['iDistributionId']); - $this->sName = stripslashes($aClean['sName']); - $this->sUrl = stripslashes($aClean['sUrl']); - } else - { - $this->iDistributionId = $aClean['iDistributionId']; - $this->sName = $aClean['sName']; - $this->sUrl = $aClean['sUrl']; - } + $this->iDistributionId = $aClean['iDistributionId']; + $this->sName = $aClean['sName']; + $this->sUrl = $aClean['sUrl']; } } diff --git a/include/incl.php b/include/incl.php index f4a7ebf..afa3639 100644 --- a/include/incl.php +++ b/include/incl.php @@ -13,6 +13,27 @@ require(BASE."include/menu.php"); require(BASE."include/html.php"); require(BASE."include/db.php"); +/* if magic quotes are enabled make sure the user disables them */ +/* otherwise they will see all kinds of odd effects that are difficult */ +/* to track down */ +if(get_magic_quotes_gpc()) +{ + echo "Please disable the magic quotes GPC PHP setting. See this page for more information

"; + echo "AppDB php code assumes magic quotes are disabled.

"; + echo "Magic quotes are a bad idea for a few reasons.

"; + echo "First is that php calls addslashes() on all \$_POST, \$_REQUEST and cookie variables "; + echo "if magic quotes is enabled. "; + echo "Ooooooh you say.
"; + echo "\"Aren't magic quotes a convienent way to protect my php code from sql injection attacks?\"

"; + echo "No! addslashes() isn't adequate. You should use mysql_real_escape_string() or some other function"; + echo " that will handle multi-byte characters. See this article"; + echo " for a way to exploit addslash()ed parameters.

"; + echo "A second reason is that with magic quotes enabled, due to the use of mysql_real_escape_string() to"; + echo " protect from sql injection attacks we'll end up with variables that have been addslash()ed and"; + echo " mysql_real_escape_string()ed. So you end up having to call stripslashes() on EVERY variable. "; + exit; +} + // create arrays $sidebar_func_list = array(); $help_list = array(); diff --git a/include/testResults.php b/include/testResults.php index dc1bfd2..b782e3a 100644 --- a/include/testResults.php +++ b/include/testResults.php @@ -574,35 +574,18 @@ class testData{ $aClean['sTestedRating'] = makeSafe($_REQUEST['sTestedRating']); $aClean['sComments'] = makeSafe($_REQUEST['sComments']); - if(get_magic_quotes_gpc()) - { - $this->iTestingId = stripslashes($aClean['iTestingId']); - $this->iVersionId = stripslashes($aClean['iVersionId']); - $this->sWhatWorks = stripslashes($aClean['sWhatWorks']); - $this->sWhatDoesnt = stripslashes($aClean['sWhatDoesnt']); - $this->sWhatNotTested = stripslashes($aClean['sWhatNotTested']); - $this->sTestedDate = stripslashes($aClean['sTestedDate']); - $this->iDistributionId = stripslashes($aClean['iDistributionId']); - $this->sTestedRelease = stripslashes($aClean['sTestedRelease']); - $this->sInstalls = stripslashes($aClean['sInstalls']); - $this->sRuns = stripslashes($aClean['sRuns']); - $this->sTestedRating = stripslashes($aClean['sTestedRating']); - $this->sComments = stripslashes($aClean['sComments']); - } else - { - $this->iTestingId = $aClean['iTestingId']; - $this->iVersionId = $aClean['iVersionId']; - $this->sWhatWorks = $aClean['sWhatWorks']; - $this->sWhatDoesnt = $aClean['sWhatDoesnt']; - $this->sWhatNotTested = $aClean['sWhatNotTested']; - $this->sTestedDate = $aClean['sTestedDate']; - $this->iDistributionId = $aClean['iDistributionId']; - $this->sTestedRelease = $aClean['sTestedRelease']; - $this->sInstalls = $aClean['sInstalls']; - $this->sRuns = $aClean['sRuns']; - $this->sTestedRating = $aClean['sTestedRating']; - $this->sComments = $aClean['sComments']; - } + $this->iTestingId = $aClean['iTestingId']; + $this->iVersionId = $aClean['iVersionId']; + $this->sWhatWorks = $aClean['sWhatWorks']; + $this->sWhatDoesnt = $aClean['sWhatDoesnt']; + $this->sWhatNotTested = $aClean['sWhatNotTested']; + $this->sTestedDate = $aClean['sTestedDate']; + $this->iDistributionId = $aClean['iDistributionId']; + $this->sTestedRelease = $aClean['sTestedRelease']; + $this->sInstalls = $aClean['sInstalls']; + $this->sRuns = $aClean['sRuns']; + $this->sTestedRating = $aClean['sTestedRating']; + $this->sComments = $aClean['sComments']; } diff --git a/include/version.php b/include/version.php index 30bf6bc..9a31a00 100644 --- a/include/version.php +++ b/include/version.php @@ -552,13 +552,7 @@ class Version { echo 'Version description',"\n"; echo '

',"\n"; - else - echo $this->sDescription.'

',"\n"; + echo $this->sDescription.'

',"\n"; echo '',"\n"; @@ -612,23 +606,12 @@ class Version { $aClean['maintainer_rating'] = makeSafe($_REQUEST['maintainer_rating']); $aClean['maintainer_release'] = makeSafe($_REQUEST['maintainer_release']); - if(get_magic_quotes_gpc()) - { - $this->iAppId = stripslashes($aClean['appId']); - $this->iVersionId = stripslashes($aClean['versionId']); - $this->sName = stripslashes($aClean['versionName']); - $this->sDescription = stripslashes($aClean['versionDescription']); - $this->sTestedRating = stripslashes($aClean['maintainer_rating']); - $this->sTestedRelease = stripslashes($aClean['maintainer_release']); - } else - { - $this->iAppId = $aClean['appId']; - $this->iVersionId = $aClean['versionId']; - $this->sName = $aClean['versionName']; - $this->sDescription = $aClean['versionDescription']; - $this->sTestedRating = $aClean['maintainer_rating']; - $this->sTestedRelease = $aClean['maintainer_release']; - } + $this->iAppId = $aClean['appId']; + $this->iVersionId = $aClean['versionId']; + $this->sName = $aClean['versionName']; + $this->sDescription = $aClean['versionDescription']; + $this->sTestedRating = $aClean['maintainer_rating']; + $this->sTestedRelease = $aClean['maintainer_release']; } function display()