[ZendTo] Re: unconditional use of stripslashes, missing backslashes.
Joerg Streibhardt
eljoest+lists at googlemail.com
Mon Feb 6 10:05:54 GMT 2012
Hi Jules,
I'll do my best to check the source. Though I'm not aware of a
dedicated software for an audit.
Could you please replace the calls to stripslashes by a call to
something else, say a global method
zendToParamPrepare($value) {
return get_magic_quotes_gpc()?stripslashes($value):$value;
}
called as "$paramValue = zendToParamPrepare($_GET['something']);"
This way it'll keep working just fine on systems with magic quotes enabled.
Cheers
Jörg
On Sun, Feb 5, 2012 at 5:44 PM, Jules <Jules at zend.to> wrote:
> Agreed. I have a feeling there are still one or two places in the code that
> don't use prepared statements. I should just go through these and fix them.
>
> If I send you a version with only prepared statements, and no calls to
> stripslashes, can you do a proper security audit of the resulting system for
> me please?
>
> Anyone out there got any tools for specifically security-proving websites
> based on PHP?
>
> Jules.
>
More information about the ZendTo
mailing list