Warn if magic quotes is enabled and explain a bit about why we require that magic quotes

be disabled. Also remove all of the conditional code that was working around cases where we had magic quotes enabled. We were only working around a small portion of cases where magic quotes was affecting the appdb.
2006-06-26 00:44:44 +00:00
parent 63d90984a1
commit ac5b4b0a95
5 changed files with 51 additions and 87 deletions
--- a/include/application.php
+++ b/include/application.php
@@ -450,9 +450,6 @@ class Application {
        echo '<tr valign=top><td class="color0"><b>Application description</b></td>',"\n";
        echo '<td><p><textarea cols="80" rows="20" id="app_editor" name="appDescription">';

-        if(get_magic_quotes_gpc())
-            echo stripslashes($this->sDescription).'</textarea></p></td></tr>',"\n";
-        else
        echo $this->sDescription.'</textarea></p></td></tr>',"\n";

        echo "</table>\n";
@@ -505,17 +502,6 @@ class Application {
        $aClean['appWebpage'] = makeSafe($_REQUEST['appWebpage']);
        $aClean['appKeywords'] = makeSafe($_REQUEST['appKeywords']);

-        if(get_magic_quotes_gpc())
-        {
-            $this->iAppId = stripslashes($aClean['appId']);
-            $this->sName = stripslashes($aClean['appName']);
-            $this->sDescription = stripslashes($aClean['appDescription']);
-            $this->iCatId = stripslashes($aClean['appCatId']);
-            $this->iVendorId = stripslashes($aClean['appVendorId']);
-            $this->sWebpage = stripslashes($aClean['appWebpage']);
-            $this->sKeywords = stripslashes($aClean['appKeywords']);
-        } else
-        {
        $this->iAppId = $aClean['appId'];
        $this->sName = $aClean['appName'];
        $this->sDescription = $aClean['appDescription'];
@@ -524,7 +510,6 @@ class Application {
        $this->sWebpage = $aClean['appWebpage'];
        $this->sKeywords = $aClean['appKeywords'];
    }
-    }

    /* display this application */
    function display()
--- a/include/distributions.php
+++ b/include/distributions.php
@@ -367,18 +367,10 @@ class distribution{
        $aClean['sName'] = makeSafe($_REQUEST['sName']);
        $aClean['sUrl'] = makeSafe($_REQUEST['sUrl']);

-        if(get_magic_quotes_gpc())
-        {
-            $this->iDistributionId = stripslashes($aClean['iDistributionId']);
-            $this->sName = stripslashes($aClean['sName']);
-            $this->sUrl = stripslashes($aClean['sUrl']);
-        } else
-        {
        $this->iDistributionId = $aClean['iDistributionId'];
        $this->sName = $aClean['sName'];
        $this->sUrl = $aClean['sUrl'];
    }
-    }

 }

--- a/include/incl.php
+++ b/include/incl.php
@@ -13,6 +13,27 @@ require(BASE."include/menu.php");
 require(BASE."include/html.php");
 require(BASE."include/db.php");

+/* if magic quotes are enabled make sure the user disables them */
+/* otherwise they will see all kinds of odd effects that are difficult */
+/* to track down */
+if(get_magic_quotes_gpc())
+{
+    echo "<b>Please disable the magic quotes GPC PHP setting. See <a href=\"http://us2.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc\"> this page</a> for more information</b><br/><br/>";
+    echo "AppDB php code assumes magic quotes are disabled.<br/><br/>";
+    echo "Magic quotes are a bad idea for a few reasons.<br/><br/>";
+    echo "First is that php calls <b>addslashes()</b> on all \$_POST, \$_REQUEST and cookie variables ";
+    echo "if magic quotes is enabled. ";
+    echo "Ooooooh you say.<br/>";
+    echo "<i>\"Aren't magic quotes a convienent way to protect my php code from sql injection attacks?\"</i><br/><br/>";
+    echo "No!  <b>addslashes()</b> isn't adequate.  You should use <b>mysql_real_escape_string()</b> or some other function";
+    echo " that will handle multi-byte characters.  See <a href=\"http://shiflett.org/archive/184\">this article</a>";
+    echo " for a way to exploit <b>addslash()</b>ed parameters.<br/><br/>";
+    echo "A second reason is that with magic quotes enabled, due to the use of <b>mysql_real_escape_string()</b> to";
+    echo " protect from sql injection attacks we'll end up with variables that have been addslash()ed and";
+    echo " <b>mysql_real_escape_string()</b>ed.  So you end up having to call stripslashes() on EVERY variable. ";
+    exit;
+}
+
 // create arrays
 $sidebar_func_list = array();
 $help_list = array();
--- a/include/testResults.php
+++ b/include/testResults.php
@@ -574,22 +574,6 @@ class testData{
        $aClean['sTestedRating'] = makeSafe($_REQUEST['sTestedRating']);
        $aClean['sComments'] = makeSafe($_REQUEST['sComments']);

-        if(get_magic_quotes_gpc())
-        {
-            $this->iTestingId = stripslashes($aClean['iTestingId']);
-            $this->iVersionId = stripslashes($aClean['iVersionId']);
-            $this->sWhatWorks = stripslashes($aClean['sWhatWorks']);
-            $this->sWhatDoesnt = stripslashes($aClean['sWhatDoesnt']);
-            $this->sWhatNotTested = stripslashes($aClean['sWhatNotTested']);
-            $this->sTestedDate = stripslashes($aClean['sTestedDate']);
-            $this->iDistributionId = stripslashes($aClean['iDistributionId']);
-            $this->sTestedRelease = stripslashes($aClean['sTestedRelease']);
-            $this->sInstalls = stripslashes($aClean['sInstalls']);
-            $this->sRuns = stripslashes($aClean['sRuns']);
-            $this->sTestedRating = stripslashes($aClean['sTestedRating']);
-            $this->sComments = stripslashes($aClean['sComments']);
-        } else
-        {
        $this->iTestingId = $aClean['iTestingId'];
        $this->iVersionId = $aClean['iVersionId'];
        $this->sWhatWorks = $aClean['sWhatWorks'];
@@ -603,7 +587,6 @@ class testData{
        $this->sTestedRating = $aClean['sTestedRating'];
        $this->sComments = $aClean['sComments'];
    }
-    }


    function getTestingQueue($sQueued='true')
--- a/include/version.php
+++ b/include/version.php
@@ -552,12 +552,6 @@ class Version {
        echo '<tr valign=top><td class=color0><b>Version description</b></td>',"\n";
        echo '<td><p><textarea cols="80" rows="20" id="version_editor" name="versionDescription">',"\n";

-        /* if magic quotes are enabled we need to strip them before we output the 'versionDescription' */
-        /* again.  Otherwise we will stack up magic quotes each time the user resubmits after having */
-        /* an error */
-        if(get_magic_quotes_gpc())
-            echo stripslashes($this->sDescription).'</textarea></p></td></tr>',"\n";
-        else
        echo $this->sDescription.'</textarea></p></td></tr>',"\n";

        echo '</table>',"\n";
@@ -612,16 +606,6 @@ class Version {
        $aClean['maintainer_rating'] = makeSafe($_REQUEST['maintainer_rating']);
        $aClean['maintainer_release'] = makeSafe($_REQUEST['maintainer_release']);

-        if(get_magic_quotes_gpc())
-        {
-            $this->iAppId = stripslashes($aClean['appId']);
-            $this->iVersionId = stripslashes($aClean['versionId']);
-            $this->sName = stripslashes($aClean['versionName']);
-            $this->sDescription = stripslashes($aClean['versionDescription']);
-            $this->sTestedRating = stripslashes($aClean['maintainer_rating']);
-            $this->sTestedRelease = stripslashes($aClean['maintainer_release']);
-        } else
-        {
        $this->iAppId = $aClean['appId'];
        $this->iVersionId = $aClean['versionId'];
        $this->sName = $aClean['versionName'];
@@ -629,7 +613,6 @@ class Version {
        $this->sTestedRating = $aClean['maintainer_rating'];
        $this->sTestedRelease = $aClean['maintainer_release'];
    }
-    }

    function display()
    {