----- Original Message ----- From: "Marcel Bueno" marcel@bueno.com.br To: "Jon Daley" roundcube@jon.limedaley.com Sent: Monday, January 23, 2006 12:50 PM Subject: Re: [RoundCube Dev] Escaped characters
(http://www.olate.co.uk/forums/index.php?showtopic=956)
Ow. Excuse-me, I didn't know that ! Php can be configured to disallow ini_set ! If a server is configured to disallow the .htaccess too (and can be configured to do this), it's impossible to disable magic_quotes !
In this case, how to process ? Do someone know a method to test if a php alloow a ini_set or not ? I believe that it can be tested. Is accept, do, else, do nothing or try to do with .htaccess.
Well...
The magic quotes (') is putted for php in GET or POST vars to prevent SQLInjection. Get this example: "SELECT * FROM users WHERE user = '$var' " If $var=" ' or ''=' ", the query was: "SELECT * FROM users WHERE user = '' or ''='' " The magic quotes prevent this, turning it "SELECT * FROM users WHERE user = '' or ''='' ". But magic-quotes is used only with MySQL. the Microsoft SQLServer doesn't understand the quotes. Arghhh !
I believe that was another 2 methods:
- The first was use the stipslashes() function
(http://www.php.net/manual/pt_BR/function.stripslashes.php), but need to be done in all code. There are some problems here. The RFC of mail address say that the address can be somethng like this: "Name" < email@some.domain >
If a name is "Juca's", with magic quotes it will be turned "Juca's". In this case, it's bed. If a name is "Juca"s", with magic quotes it will be turned "Juca"s". If we remove magic quotes, it's a wrong RFC mail address: "Juca"s" < email@some.domain >
- An another method (but too much hard) is develop a Class to process the
headers of HTTPD without use the php vars $_POST and $_GET. Too much work...
Someone have another idea ???
Regards,
Valber Marcel Bueno
----- Original Message ----- From: "Jon Daley" roundcube@jon.limedaley.com To: dev@lists.roundcube.net Sent: Monday, January 23, 2006 12:13 PM Subject: Re: [RoundCube Dev] Escaped characters
Not all hosts allow ini_set, and I get occasional complaints from people who get error messages and say LifeType is junk because you can't run it without errors, due to the few ini_set commands that we do include in the code.
On Mon, 23 Jan 2006, Marcel Bueno wrote:
I think that some configurations can be inserted in constants file of the rcube project, like this:
On 23 Jan 2006, at 14:50, Marcel Bueno wrote:
----- Original Message ----- From: "Marcel Bueno"
marcel@bueno.com.br To: "Jon Daley" roundcube@jon.limedaley.com Sent: Monday, January 23, 2006 12:50 PM Subject: Re: [RoundCube Dev] Escaped characters(http://www.olate.co.uk/forums/index.php?showtopic=956)
Ow. Excuse-me, I didn't know that ! Php can be configured to
disallow ini_set ! If a server is configured to disallow the .htaccess too (and can
be configured to do this), it's impossible to disable magic_quotes !In this case, how to process ? Do someone know a method to test if
a php alloow a ini_set or not ? I believe that it can be tested.
Is accept, do, else, do nothing or try to do with .htaccess. [...] Someone have another idea ???
I can see two ways to get around this :-
- Policy. Simply require that magic_quotes is set a certain way.
- http://uk.php.net/manual/en/function.get-magic-quotes-runtime.php
will tell you if magic quotes are on or off so something like
function magic_unquote($str) { if(get_magic_quotes_runtime())
{ return stripslashes($str) } else { return $str; } } // untested
may work.
To tell if PHP will allow ini_set you could try function_exists
('ini_set') to see if the function is available. I'm not sure if this
will always work though.
Yours, Craig -- Craig Webster | t: +44 (0)131 516 8595 | e: craig@xeriom.net Xeriom.NET | f: +44 (0)131 661 0689 | w: http://xeriom.net
-
Craig Webster -
Marcel Bueno