I am having a problem with magic quotes being disabled when passing and outputting a variable via a session (although magic_quotes are successfully disabled the rest of the time). I am using PHP Version 5.4.3.
Magicquotes (I’ve added the last line re. $_SESSION given that’s what the variable is being passed through, although it was not mentioned in Kevin Yank’s book):-
<?php
if (get_magic_quotes_gpc())
{
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
$_SESSION = array_map('stripslashes_deep', $_SESSION);
}
?>
Controller ($attraction_name is entered into database so must first be sanitized) (excerpts):-
include_once $_SERVER['DOCUMENT_ROOT'] . '/includes/magicquotes.inc.php';
$attraction_name = mysqli_real_escape_string($link, $_POST['attraction_name']);
session_start();
$_SESSION['message'] = 'THIS ATTRACTION HAS BEEN EDITED:' . ' ' . $attraction_name;
header('Location: . ');
exit();
Display page:-
<?php session_start(); if (isset($_SESSION['message'])) { echo $_SESSION['message']; unset($_SESSION['message']); } ?>
If the variable passed through is ‘St Paul’s Cathedral’, then it will output:-
THIS ATTRACTION HAS BEEN EDITED: St. Paul\’s Cathedral
I have also tried creating a variable (having first applied htmlspecialchars) specifically to be output as the session message and using that instead (also to no avail):-
$attraction_name_session = htmlspecialchars($attraction_name, ENT_QUOTES, ‘UTF-8’);
And passing the below (while it has none of the above problems) would leave it open to hackers given the attraction_name is to be input by users.
$_POST[‘attraction_name’];
Any ideas?