[Phpsurveyor-developers] BUG Escaping Forms input in database.php

[Thibault Le M. <Thi...@su...>]

Hi,

When I tried to insert fields with special chars such as simple quotes, =
I
got an SQL error.

I tracked down this issue in the database.php file.

No adslashes is done in the INSERT queries which use directly $_POST.

So, in theory, if I want input-escaping I need to turn on =
'magic_quotes_gpc'
in php.ini.=20
But this fails since the follofing lines can be found at the beginning =
of
the database.php file:
if (get_magic_quotes_gpc())
  $_POST  =3D array_map('stripslashes', $_POST);

Of course commenting the above 2 lines solves the issue (with
magic_quotes_gpc enabled), but then we would need a stripslashes =
somewhere
to remove \.

What do you propose ?

+------------------------------------------------------------------------=
+
| Thibault LE MEUR                  | http://www.supelec.fr              =
|
| Sup=E9lec                           | e-mail: =
Thi...@su... |
| Centre de Ressources Informatiques| tel:     +33 [0]1 69 85 17 89      =
|
| Plateau de Moulon                 |                                    =
|
| 3 rue Joliot-Curie                | fax:     +33 [0]1 69 85 12 34      =
|
| 91192 Gif-sur-Yvette CEDEX, France| Supelec: +33 [0]1 69 85 12 12      =
|
+------------------------------------------------------------------------=
+=20