On 4/24/07, Dotan Cohen <dotancohen@xxxxxxxxx> wrote:
Thanks. Most of that has already been done now, but I'll certainly
keep your functions handy. I'll likely need them at some point.
One thing you might want to keep in mind is that this little "fix" is
going to get executed on each request if you just throw it in an
include. I ran stripslashes_deep() against my 5.2.1 release and here
are the results:
Version: 2.0.0RC3
TRACE START [2007-04-24 21:37:47]
1 0 0 0.004415 72400 {main} 1
/Users/eric/Sites/meh.php 0
2 1 0 0.004538 74328 get_magic_quotes_gpc
0 /Users/eric/Sites/meh.php 8
2 1 1 0.004586 74328
2 2 0 0.004622 74328 stripslashes_deep
1 /Users/eric/Sites/meh.php 18
.... snip ....
2 251 0 0.021693 86560
set_magic_quotes_runtime 0
/Users/eric/Sites/meh.php 35
2 251 1 0.021950 86560
1 0 1 0.022013 84632
0.0223 33416
TRACE END [2007-04-24 21:37:47]
That means lots function calls happened before you could even say
hello world. You might want to add wrapper functions accessor
functions around $_GET and $_POST so that you're only stripping when
really necessary.
You might also consider reading this
http://ez.no/community/articles/dangers_of_csrf_and_xss by Ilia
Alshanetsky.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
