From 72f4d9e245fad4ae1f74a01ebe54c90ab41f4323 Mon Sep 17 00:00:00 2001 From: Jakub Vrana Date: Mon, 26 Jul 2010 14:47:26 +0200 Subject: [PATCH] Function parse_str respects magic_quotes_gpc (bug #3034575) --- adminer/include/bootstrap.inc.php | 16 +--------------- adminer/include/functions.inc.php | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/adminer/include/bootstrap.inc.php b/adminer/include/bootstrap.inc.php index e8009b90..bbf9b90f 100644 --- a/adminer/include/bootstrap.inc.php +++ b/adminer/include/bootstrap.inc.php @@ -38,21 +38,7 @@ if (!ini_bool("session.auto_start")) { } // disable magic quotes to be able to use database escaping function -if (get_magic_quotes_gpc()) { - $process = array(&$_GET, &$_POST, &$_COOKIE); - while (list($key, $val) = each($process)) { - foreach ($val as $k => $v) { - unset($process[$key][$k]); - if (is_array($v)) { - $process[$key][stripslashes($k)] = $v; - $process[] = &$process[$key][stripslashes($k)]; - } else { - $process[$key][stripslashes($k)] = ($filter ? $v : stripslashes($v)); - } - } - } - unset($process); -} +remove_slashes(array(&$_GET, &$_POST, &$_COOKIE)); if (function_exists("set_magic_quotes_runtime")) { set_magic_quotes_runtime(false); } diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php index 5f475232..ed847f13 100644 --- a/adminer/include/functions.inc.php +++ b/adminer/include/functions.inc.php @@ -26,6 +26,26 @@ function escape_string($val) { return substr($connection->quote($val), 1, -1); } +/** Disable magic_quotes_gpc +* @param array e.g. (&$_GET, &$_POST, &$_COOKIE) +* @return null modified in place +*/ +function remove_slashes($process) { + if (get_magic_quotes_gpc()) { + while (list($key, $val) = each($process)) { + foreach ($val as $k => $v) { + unset($process[$key][$k]); + if (is_array($v)) { + $process[$key][stripslashes($k)] = $v; + $process[] = &$process[$key][stripslashes($k)]; + } else { + $process[$key][stripslashes($k)] = ($filter ? $v : stripslashes($v)); + } + } + } + } +} + /** Escape or unescape string to use inside form [] * @param string * @param bool @@ -214,6 +234,7 @@ function where($where) { */ function where_check($val) { parse_str($val, $check); + remove_slashes(array(&$check)); return where($check); }