Not logged in. · Lost password · Register
Forum: Support Bug reports and troubleshooting RSS
\0 bug
Page:  previous  1  2  3  next 
Avatar
Yves (Administrator) 2007-05-23, 17:23 #16
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
In reply to post ID 8726
I've implemented a workaround for now, until I get an authorised reply from some MySQL guys. Searching for \ works again as expected now, \0 is still not supported on PHP with enabled magic stuff. I can't disable magic quoting on my local machine, stupid XAMPP won't accept php.ini changes. Here on my Linux server, it is disabled and thus works fine.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
Saxtus 2007-05-23, 17:35 #17
Member since Jan 2007 · 84 posts · Location: Athens, Greece
Group memberships: Members
Show profile · Link to this post
Did you tried to do what I've done (look my last post) or .htaccess doesn't work on your local machine too?
The Answer to Life, the Universe, and Everything = 42
Avatar
Yves (Administrator) 2007-05-23, 17:40 #18
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
No, I didn't try. I'm not used to run PHP as a module (which is a requirement for the .htaccess way to work). I'm a little busy these days so I'll retry to configure it globally later. I assume it works because it was another general problem I have solved now. (Every \ as argument to the LIKE operator in SQL must be escaped twice. (My observation only!) SELECT 'a\\b' = 'a\\b' returns 1, SELECT 'a\\b' LIKE 'a\\b' returns 0 but SELECT 'a\\b' LIKE 'a\\\\b' is 1 again.)
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
Saxtus 2007-05-23, 17:47 #19
Member since Jan 2007 · 84 posts · Location: Athens, Greece
Group memberships: Members
Show profile · Link to this post
Same results of your queries here too.

Like the note at the manual here:
Note: Because MySQL uses C escape syntax in strings (for example, ‘\n’ to represent a newline character), you must double any ‘\’ that you use in LIKE strings. For example, to search for ‘\n’, specify it as ‘\\n’. To search for ‘\’, specify it as ‘\\\\’; this is because the backslashes are stripped once by the parser and again when the pattern match is made, leaving a single backslash to be matched against. (Exception: At the end of the pattern string, backslash can be specified as ‘\\’. At the end of the string, backslash stands for itself because there is nothing following to escape.)
The Answer to Life, the Universe, and Everything = 42
Avatar
Yves (Administrator) 2007-05-23, 17:51 #20
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Strange, I've read this very section. Well, must be the high temperature in here. ;) So my solution is correct and we're all happy now. :)

And to y'all, remember to turn off the magic, it doesn't work. :D
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
jense 2007-05-24, 12:53 #21
Member since Nov 2006 · 327 posts · Location: Dortmund
Group memberships: Members
Show profile · Link to this post
Quote by Yves:
And to y'all, remember to turn off the magic, it doesn't work. :D
Please, can you put in one sentence what exactly does not work?  Webhosters still are not that flexible these days...
Alala, Alala, Gimme three wishes - CSS
Avatar
Saxtus 2007-05-24, 13:28 #22
Member since Jan 2007 · 84 posts · Location: Athens, Greece
Group memberships: Members
Show profile · Link to this post
Quote by jense:
Please, can you put in one sentence what exactly does not work?  Webhosters still are not that flexible these days...
Just try to preview a message at your server's forum that contain the string \0 in it.
If you lose it during preview, you need to do what I've done above in your .htaccess file because magic quotes for GPC* is on at your server.

*GPC: GET/POST/COOKIES
The Answer to Life, the Universe, and Everything = 42
jense 2007-05-24, 13:52 #23
Member since Nov 2006 · 327 posts · Location: Dortmund
Group memberships: Members
Show profile · Link to this post
Quote by Saxtus:
Just try to preview a message at your server's forum that contain the string \0 in it.
Ok, understood... (it is also clear from what I've now read in the diff of the new dev-version)
If you lose it during preview, you need to do what I've done above in your .htaccess file because magic quotes for GPC* is on at your server.
As I said, it is not possible in general.  Dunno, if it has to do with PHP running as CGI or webhosters denying php parameters in .htaccess...

Yves, what exactly is the reason to *not* use stripslashes?  It is supposed to do, what you've tried to accomplish in common.lib.php, it's probably faster and it just works, AFAICT (playing around with binary input a fews weeks ago).  Am I missing something?
Alala, Alala, Gimme three wishes - CSS
Avatar
Saxtus 2007-05-24, 14:16 #24
Member since Jan 2007 · 84 posts · Location: Athens, Greece
Group memberships: Members
Show profile · Link to this post
Quote by jense:
As I said, it is not possible in general.

Where you said it? I don't remember you posting about it.

Yves, what exactly is the reason to *not* use stripslashes?  It is supposed to do, what you've tried to accomplish in common.lib.php, it's probably faster and it just works, AFAICT (playing around with binary input a fews weeks ago).  Am I missing something?

If I understand correctly, there is no way to interfere to what magic_quotes_gpc does because it is done to every string passed to PHP before program gets control. Correct me if I am wrong but if I am right, magic_quotes_gpc doesn't care about stripslashes or anything like that.
The Answer to Life, the Universe, and Everything = 42
jense 2007-05-24, 14:37 #25
Member since Nov 2006 · 327 posts · Location: Dortmund
Group memberships: Members
Show profile · Link to this post
Quote by Saxtus:
Where you said it? I don't remember you posting about it.
I put a note on nonflexible webhosters in my initial post.  Apparently, it has not been too clear... :-)
Correct me if I am wrong but if I am right, magic_quotes_gpc doesn't care about stripslashes or anything like that.
Well, the PHP documentation claims that stripslashes is the inverse function to addslashes, which is used for the magic quotes, i.e., if magic_quotes_gpc is enabled, stripslashes should revert the changes.

For instance, stripslashes(addslashes('\0')) gives '\0', where addslashes emulates the magic quotes behavior - this even works for '\\0', '\\\0'...
Alala, Alala, Gimme three wishes - CSS
Avatar
Saxtus 2007-05-24, 14:58 #26
Member since Jan 2007 · 84 posts · Location: Athens, Greece
Group memberships: Members
Show profile · Link to this post
So the solution seems simple if the following does truly work:
  1. // The following function will strip GPC-arrays for php 4.3.9
  2. function transcribe($aList, $aIsTopLevel = true) {
  3.     $gpcList = array();
  4.     $isMagic = get_magic_quotes_gpc();
  5.    
  6.     foreach ($aList as $key => $value) {
  7.         $decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
  8.         if (is_array($value)) {
  9.             $decodedValue = transcribe($value, false);
  10.         } else {
  11.             $decodedValue = ($isMagic)?stripslashes($value):$value;
  12.         }
  13.         $gpcList[$decodedKey] = $decodedValue;
  14.     }
  15.     return $gpcList;
  16. }
  1. // The following function will strip GPC-arrays for php 5.0.2
  2. function transcribe($aList, $aIsTopLevel = true) {
  3.     $gpcList = array();
  4.     $isMagic = get_magic_quotes_gpc();
  5.    
  6.     foreach ($aList as $key => $value) {
  7.         if (is_array($value)) {
  8.             $decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
  9.             $decodedValue = transcribe($value, false);
  10.         } else {
  11.             $decodedKey = stripslashes($key);
  12.             $decodedValue = ($isMagic)?stripslashes($value):$value;
  13.         }
  14.         $gpcList[$decodedKey] = $decodedValue;
  15.     }
  16.     return $gpcList;
  17. }
Usage:
$unstrippedGET = transcribe($_GET);
$unstrippedPOST = transcribe($_POST);
The Answer to Life, the Universe, and Everything = 42
jense 2007-05-24, 15:42 #27
Member since Nov 2006 · 327 posts · Location: Dortmund
Group memberships: Members
Show profile · Link to this post
Hm, $_GET and $_POST can be safely assumed as flat arrays, can't they? Secondly, the PHP5 code looks wrong because stripslashes is unconditionally called at one place.  Why are different codes needed anyway?
Alala, Alala, Gimme three wishes - CSS
Avatar
Saxtus 2007-05-24, 15:46 #28
Member since Jan 2007 · 84 posts · Location: Athens, Greece
Group memberships: Members
Show profile · Link to this post
Kudos to PHP manual's comments:
The following is true for $_GET- and $_POST-arrays. I hope other arrays affected by magic quotes behave equally.
I did not test the behavior for cases where magic_quotes_sybase is set.

== legend for possible case combinations ==
Px = php version we're using
    P4 = php 4.3.9
    P5 = php 5.0.2

MQ = MagicQuotes GPC
    +MQ = magic quotes enabled
    -MQ = magic quotes disabled

TL = TopLevel key
    +TL = key is on top level (i.e. $_GET['myKey'])
    -TL = key is nested within another array (i.e. $_GET['myList']['myKey'])

AK = ArrayKey
    +AK = the value of the key is another array (i.e. is_array($_GET['myKey']) == true)
    -AK = the value is a normal string (i.e. is_string($_GET['myKey']) == true)

== legend for possible results ==
KE = KeyEscaping
    +KE = control chars are prefixed with a backslash
    -KE = key is returned as submitted and needn't to be stripped

VE = ValueEscaping (doesn't apply for array as value)
    +VE = control chars are prefixed with a backslash
    -VE = value is returned as submitted and needn't to be stripped

== here we go - the following rules apply ==
 1) P4 +MQ +AK +TL --> -KE
 2) P4 +MQ +AK -TL --> +KE
 3) P4 +MQ -AK +TL --> -KE +VE
 4) P4 +MQ -AK -TL --> +KE +VE
 5) P4 -MQ +AK +TL --> -KE
 6) P4 -MQ +AK -TL --> -KE
 7) P4 -MQ -AK +TL --> -KE -VE
 8) P4 -MQ -AK -TL --> -KE -VE
 9) P5 +MQ +AK +TL --> -KE
10) P5 +MQ +AK -TL --> +KE
11) P5 +MQ -AK +TL --> +KE +VE
12) P5 +MQ -AK -TL --> +KE +VE
13) P5 -MQ +AK +TL --> -KE
14) P5 -MQ +AK -TL --> -KE
15) P5 -MQ -AK +TL --> +KE -VE
16) P5 -MQ -AK -TL --> +KE -VE
17) The chars '.', ' ' are always replaced by '_' when used in keys.

Example (rule 15):
When running under php 5.0.2 having magic quotes disabled, gpc-keys on top level containing strings are escaped while their associated values are not.
I don't think you must assume that they are always flat arrays!
Quote by jense:
Secondly, the PHP5 code looks wrong because stripslashes is unconditionally called at one place.
PHP5 does more key escaping than PHP4.
The Answer to Life, the Universe, and Everything = 42
This post was edited on 2007-05-24, 15:52 by Saxtus.
jense 2007-05-24, 16:13 #29
Member since Nov 2006 · 327 posts · Location: Dortmund
Group memberships: Members
Show profile · Link to this post
Ah, thanks! - Wow, it's possible to specify array entries via ?array[key1]=entry1&array[key2]=entry2...
Alala, Alala, Gimme three wishes - CSS
Avatar
Yves (Administrator) 2007-05-24, 20:19 #30
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
jense, it is, but I'm not sure if I do that with something different then numbers from checkboxes.

I'll try out the stripslashes function.

Update: Works. I'm doing an update.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Page:  previous  1  2  3  next 

Go to forum
This board is powered by the Unclassified NewsBoard software, 20110527-dev, © 2003-2011 by Yves Goergen
Page created in 269.2 ms (173.9 ms) · 135 database queries in 140.1 ms
Current time: 2012-02-08, 09:46:05 (UTC +01:00)