[Xerte] Re: latex/stripslashes/magic quotes etc

Paul Swanson Paul.Swanson at harlandfs.com
Mon Jan 21 22:02:51 GMT 2013


I think you might be safe, but Pat may be the only one who could really answer that.

Paul Swanson
Internal Business Systems Analyst
Internal Business Intelligence
Harland Financial Solutions
(800) 274-7280 Ext. 2462
Paul.Swanson at harlandfs.com

From: xerte-bounces at lists.nottingham.ac.uk [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell
Sent: Monday, January 21, 2013 1:49 PM
To: 'Xerte discussion list'
Subject: [Xerte] Re: latex/stripslashes/magic quotes etc

>So what's the solution to this? Why is it working ok on the Nottingham install but not for me and others? Or is it?<

>Different versions of the code base?<

I can't speak for the Nottingham install but on the 3 servers I've been testing with the XOT code base is the same and there isn't anything in the xot code overriding the magic_quotes_gpc setting.

In the case of save.php it's updating data.xml and preview.xml with:
if(fwrite($file_handle, stripslashes($_POST['filedata']))!=false){

I don't think it's writing to the db.

If I remove the stripslashes section in save.php and so change the 3 occurrences of the above line to
if(fwrite($file_handle, $_POST['filedata'])!=false){

then the latex works but I'm not sure if that could cause other problems?


From: xerte-bounces at lists.nottingham.ac.uk<mailto:xerte-bounces at lists.nottingham.ac.uk> [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of David Goodwin
Sent: 21 January 2013 20:43
To: Xerte discussion list
Subject: [Xerte] Re: latex/stripslashes/magic quotes etc


On 21 Jan 2013, at 17:48, Paul Swanson <Paul.Swanson at harlandfs.com<mailto:Paul.Swanson at harlandfs.com>> wrote:

On my php applications, I use the following function before saving any data to the database:

// function for escaping and trimming form data
function escape_data ($data) {
    global $dbc;
    if (ini_get ('magic_quotes_gpc')) {
        $data = stripslashes ($data);
   }
    return mysql_real_escape_string (trim ($data), $dbc);
} // end of escape_data() function


Hi,
Random 2p ....

1.I'd avoid using the above - it doesn't protect against e.g.

$sql = "SELECT * FROM users WHERE id = " . escape_data($_GET['id']);

(in this instance, $_GET['id'] needs casting to an int, else injection of SQL could take place - e.g. $_GET['id'] = '5 union .... "

It checks to see if magic_quotes_gpc is on, and if so, employs the stripslashes function, since magic_quotes adds slashes. If magic_quotes isn't on, it skips the stripslashes function. This function ensures that either configuration is handled.

$dbc in the function is the database connection resource variable.

2. Make sure you've called SET NAMES UTF8 or whatever on that connection ... assuming you're using unicode...


3. In XOT, use the db_query/db_query_one functions; they'll take in prepared-statement-esque SQL, which is immune to injection and doesn't result in you having to care whether $foo has been escaped, double escaped or not escaped. Just pass the variables you want to embed within the SQL within an array with ? marks within the actual SQL - like :

$row = db_query_one("SELECT * FROM users WHERE id = ?", array($_GET['id']));
or
$rows = db_query("SELECT * FROM whatever WHERE id = ? AND blah = ?", array($_GET['id'], $_GET['blah']));

etc etc.

4. Different output formats need different escaping; e.g. the escaping you need for within javascript (addcslashes) is different to that for html (htmlentities) and so on. While the 'escapedata' approach may work, it's not ideal or correct  to apply escaping which is appropriate to MySQL on data which is meant to be output as LaTeX or HTML or whatever.

<snip/>

In previous discussions it's clear that depending on php configuration previewing and/or publishing was/is stripping slashes to the point that latex code had all slashes removed and therefore didn't work. There was a suggestion of using ini_set( 'magic_quotes_gpc', true ); in save.php but it's not clear if that resolved the issue.

Don't use magic_quotes. They cause PHP to escape everything with 'addslashes()' that comes from user supplied data -e.g database calls, file_get_contents (probably) and so on. The result of this is that you will eventually find the data to be a mess - e.g. it\\\\\\\\\'s and so on.


I have an installation (linux) where this is happening so as a test I turned on magic_quotes_gpc server wide but that hasn't resolved the issue.

Did you check with e.g. phpinfo(); ? Perhaps there is a local setting either in XOT, or a .htaccess file or elsewhere which is overriding your change? Perhaps your change didn't take effect.

Also I read that magic quotes has been DEPRECATED

Indeed.

as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

Yes.


So what's the solution to this? Why is it working ok on the Nottingham install but not for me and others? Or is it?

Different versions of the code base?


David.


Pale Purple Ltd.  (Company No: 5580814)
'Business Web Application Development and Training in PHP'

http://www.palepurple.co.uk
Office: 0845 0046746     Mobile: 07792380669

Follow us on Twitter: @PalePurpleLtd







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20130121/3d6a92fa/attachment-0001.html>


More information about the Xerte mailing list