[ZendTo] Re: unconditional use of stripslashes, missing backslashes.
Jules
Jules at Zend.To
Fri Feb 3 17:10:32 GMT 2012
How often do people need to put in backslashes? Versus the danger of
missing an instance of escaping-based injection because of not removing
them? I would personally prefer to play safe.
If we can *guarantee* that it won't lessen security *at all*, then we
can not remove all backslashes.
Jules.
On 03/02/2012 16:49, Joerg Streibhardt wrote:
> Hi Jules
>
> my first real user informed me that the backslashes he typed into the
> message were removed.
> After looking around for a bit I noticed that most if not all
> instances of stripslashes are called whether PHP added those "magic
> quotes" or not.
>
> Unfortunately I'm unable to globally enable magic quotes and the
> manual states that:
>
>> This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.
>> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
> I've changed the setting locally for ZendTo by adding
>> php_flag magic_quotes_gpc on
> in the apache-configuration for<Directory /opt/zendto/www/>.
>
> I think stripslashes should only be used if get_magic_quotes_gpc()
> returns true. Removing it altogether is probably not a good idea at
> this time.
>
> What do you think?
>
> Cheers
> Jörg
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
Jules
--
Julian Field MEng CITP CEng
www.Zend.To
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
I see it shining plain,
The happy highways where I went,
And cannot come again.' - A.E. Houseman
More information about the ZendTo
mailing list