[Phpsurveyor-developers] BUG Escaping Forms input in database.php
The leading Open Source survey tool
Brought to you by:
c_schmitz
From: Thibault Le M. <Thi...@su...> - 2007-01-24 17:51:30
|
Hi, When I tried to insert fields with special chars such as simple quotes, = I got an SQL error. I tracked down this issue in the database.php file. No adslashes is done in the INSERT queries which use directly $_POST. So, in theory, if I want input-escaping I need to turn on = 'magic_quotes_gpc' in php.ini.=20 But this fails since the follofing lines can be found at the beginning = of the database.php file: if (get_magic_quotes_gpc()) $_POST =3D array_map('stripslashes', $_POST); Of course commenting the above 2 lines solves the issue (with magic_quotes_gpc enabled), but then we would need a stripslashes = somewhere to remove \. What do you propose ? +------------------------------------------------------------------------= + | Thibault LE MEUR | http://www.supelec.fr = | | Sup=E9lec | e-mail: = Thi...@su... | | Centre de Ressources Informatiques| tel: +33 [0]1 69 85 17 89 = | | Plateau de Moulon | = | | 3 rue Joliot-Curie | fax: +33 [0]1 69 85 12 34 = | | 91192 Gif-sur-Yvette CEDEX, France| Supelec: +33 [0]1 69 85 12 12 = | +------------------------------------------------------------------------= +=20 |