View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000156 | Main CAcert Website | source code | public | 2006-03-05 21:42 | 2018-11-11 18:37 |
| Reporter | Assigned To | ||||
| Priority | low | Severity | tweak | Reproducibility | always |
| Status | needs work | Resolution | open | ||
| Summary | 0000156: magic_quotes_gpc vs. mysql_escape_string() | ||||
| Description | I see many cases where mysql_escape_string() is applied to $_REQUEST, $_POST or $_GET. As magic_quotes already escaped these strings this may lead to corruption of the userinput. e.g. in api/ccsr.php $username = mysql_escape_string($_REQUEST['username']); $password = mysql_escape_string($_REQUEST['password']); I recommend using something like quote_smart() from php.net function quote_smart($value) { // stripslashes, if necessary if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // quote, if not numeric if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } Additionally since PHP 4.3.0 it's recommended to use mysql_real_escape_string(). | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
|
We need patches and/or source locations, this bug isn't a simple one and feeds back into the requirement to turn off globals... |
|
|
I can confirm this bug exists for the "Contact Information" field of the "My Listing" section. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2006-03-05 21:42 |
|
New Issue | |
| 2006-08-16 13:36 | duane | Note Added: 0000523 | |
| 2006-08-16 13:36 | duane | Status | new => needs work |
| 2006-08-16 13:36 | duane | Assigned To | => bluec |
| 2008-02-18 13:42 | dionyziz | Note Added: 0001010 | |
| 2013-11-12 21:25 | INOPIAE | Relationship added | related to 0001031 |
| 2014-03-19 10:53 | BenBE | Relationship added | related to 0001260 |
