Topic awaiting preservation: Magic Quotes Issue

So, I recently discovered that every time I attempt a search containing an apostrophe in my installation of Gallery, the apostrophe gets prefixed with a backslash.

Searching for world's largest results in a search for world\'s largest, which yields nothing. Of course, that makes my upcoming stock-photo gallery useless.

I've done a lot of frustrating research and I've determined it to be a problem with magic quotes being on. I've attempted to turn them off in my .htaccess file using magic_quotes_gpc = off, but it will only work if I remove AddType php-cgi .php. However, I can't remove that because Gallery won't work without it.

Someone posted in the Gallery discussion forum that he added ini_set(magic_quotes_gpc, 0); to every php file (not knowing which ones needed it) and it worked. But I'm hoping there's a less drastic solution.

I've written DreamHost about the issue, but I don't hold out much hope, because as I understand it, they've disabled such custom php directives in .htaccess while PHP-CGI is enabled.

Anyone have any other ideas?

Well I'd just try adding that to the top of the file called search.php

(Note I'm not a gallery user but that's the page it seems to call)



.:[ Never resist a perfect moment ]:.

actually, I feel you're all confused.

Magic quotes often are an issue - but they should not be here.

So you have 'world's largest' in the sql database.
User types 'world's largest' - your script then creates a query that reads like "select ... where something like '%world\'s largest%'" - see where that \ saves your but from a nasty scripting attack?
Now, the mysqldatabas parses this - discovers the \ in front of the ' and removes it, so you should still be finding everything.

Except of course, that world's largest isn't actually world's largest *in your database* - in which case we have a different problem entirly.

now, if you were looking for a security hole opening quick fix, adust the the function below to call stripslashes instea of the whole trim(addslashes(stripslashes(htmlentities thing and call it for each incoming array (__GET,_POST,HTTP_GET_VARS...). You'll probaly also want to remove the unseting of the variables in $GLOBAL - registered globals *are* a security risk, but I doubt gallery will be able to work without them.
Please note, the function below doesn't take magic_quotes_gpc (get/post/cookies!) specifically into account. It could, but so far no grail has needed it.

function _g_SecureArray(&$array,$bIsFirstLevel = true)

{

	foreach ($array as $aKey => $aVar)

	{

		if (is_array($aVar))

		{

			_g_SecureArray($array[$aKey],false);

		}

		else

		{

			$aVar = trim(addslashes(stripslashes(htmlentities($aVar,ENT_QUOTES))));

			$aVar = str_replace(array('<','>'),array('<','>'),$aVar);

			$array[$aKey] = $aVar;

			if ($bIsFirstLevel)

				unset($GLOBALS[$aKey]);

			

		}

	}

}

so long,

Tyberius Prime

Unfortunately, adding ini_set(magic_quotes_gpc, 0); to search.php did squat. In fact, I tried creating a file with ...

<?php 

ini_set(magic_quotes_gpc, 0); 

phpinfo() 

?>

... and it still reports them as on.

Now, TP - sorry, but you've lost me entirely. First, I don't believe Gallery uses MySQL at all. Everything appears to be stored in flat files and those files do contain exactly the phrase "world's largest."

Additionally, magic quotes cause minor problems elsewhere -- adding album names with apostrophes, for instance, though those are easily fixed with renaming. Magic quotes, I believe, are the culprit with the search function as well.

I've uploaded search.php as a text file here if anyone would like to look at it ... and possibly, if you are so kind, help me to figure out this problem. My php is knowledge is very weak, but I'm desperate to fix this search problem because it can be a huge deal to potential licensing opportunities.

I beleive the issue lies in here -

quote:

---

$searchstring = escapeEregChars ($searchstring);
$searchstring = str_replace ("\\*", ".*", $searchstring);

---

The PHP is escaping the apostrophe with a slash, which in many cases it should.

Perhaps this is a situation for stripslashes. I am not well enough versed to know how that will affect other things in gallery however...



[This message has been edited by DL-44 (edited 03-26-2004).]

a) magicq quotes for get,post,cookies (or gpc ) happpen before php executes your script. There's nothing you can do about that.

b) if you're not using a database, calling stripslashes() at the search term might just be the fix you need. Give it a try. (or, call add slashes within the search comparison routine... and do it the other way around. Though that's gonna need more cpu time).

OK, so I did some searching on stripslashes and I finally came up with a couple of posts from guys who had the same issue of not being able to turn off magic quotes.

The first hack didn't work. Well, it did fix magic quotes but caused some other crazy errors.

The second appears to work and fixes the problem globally; even adding album with names containing apostrophes is no longer a problem. I added this to the file init.php ...

if (get_magic_quotes_gpc()) { 

    $posted_keys = implode(',', array_keys($_POST)); 

    $get_keys = implode(',', array_keys($_GET)); 



    if ($posted_keys | | $get_keys) { 



        // Will stripslashes if magic_quotes_gpc is on. 

        // Pass the NAMEs of the variables, not the value 

        // e.g. stripSlashesGpc('my_var', 'my_array') 

        // NOT stripSlashesGpc($my_var, $my_array) 

        function stripSlashesGpc() 

        { 

            if (!get_magic_quotes_gpc()) { 

                return; 

            } 

            $args = func_get_args(); 

            foreach ($args as $var_name) { 

                // var_name might be an array element. 

                // Globalize up to the first "[" 

                if ($b_pos = strpos($var_name, '[')) { 

                    $global_var_name = substr($var_name, 0, $b_pos); 

                } 

                else { 

                    $global_var_name = $var_name; 

                } 

                global $$global_var_name; 

                // Need to use eval in case its an array element 

                eval("\$var_value = \$$var_name;"); 

                if (is_array($var_value)) { 

                    foreach ($var_value as $key => $val) { 

                        $key = str_replace('"', '\"', $key); 

                        $array_element = $var_name . '["' . $key . '"]'; 

                        stripSlashesGpc($array_element); 

                    } 

                } 

                else { 

                    // Need to use eval in case its an array element 

                    eval("\$$var_name = stripslashes(\$var_value);"); 

                } 

            } 

        } // End stripSlashesGpc 



        // enclose each key name in quotes, 

        // or php might die if a var is the same name as a constant 

        function quoteCommaDeliminatedList($list) 

        { 

            return "'" . str_replace(',', "','", $list) . "'"; 

        } 



        if ($posted_keys) { 

            $posted_keys = quoteCommaDeliminatedList($posted_keys); 

            eval("stripSlashesGpc($posted_keys);"); 

        } 

        if ($get_keys) { 

            $get_keys = quoteCommaDeliminatedList($get_keys); 

            eval("stripSlashesGpc($get_keys);"); 

        } 

    } 

}

It's rather lengthy and I don't understand it, but it seems to work.

Incidentally, if someone else happens on this topic while searching for a fix, you can find the original post here.

Now, no one replied to this apparent genius's post, so I don't know if this hack causes unseen problems somewhere else. If anyone sees anything in here that could be disastrous, please let me know.

quote:

---

eval("\$var_value = \$$var_name;");

---

I'd bet even money I can turn this into a full blown security hole.

try replacing that piece at least with

$var_value = ${$var_name};

that should be doing the same in almost all cases, and all the other cases are attacks.

Done, thanks!

I just hope you were fixing one and not creating one.