always disable magic quotes at runtime.

27483835 · Taylor Otwell · 02397c67 · 27483835 · 27483835
Commit 27483835 authored Jan 24, 2012 by Taylor Otwell
Hide whitespace changes
Inline Side-by-side

Showing with 59 additions and 5 deletions

helpers.php laravel/helpers.php +44 -0

laravel.php laravel/laravel.php +15 -5

No files found.
--- a/laravel/helpers.php
+++ b/laravel/helpers.php
@@ -46,6 +46,10 @@ function array_get($array, $key, $default = null)
 {
 	if (is_null($key)) return $array;

+	// To retrieve the array item using dot syntax, we'll iterate through
+	// each segment in the key and look for that value. If it exists, we
+	// will return it, otherwise we will set the depth of the array and
+	// look for the next segment.
 	foreach (explode('.', $key) as $segment)
 	{
 		if ( ! is_array($array) or ! array_key_exists($segment, $array))
@@ -185,6 +189,46 @@ function array_spin($array, $callback)
 	return array_map($callback, array_keys($array), array_values($array));
 }

+/**
+ * Recursively remove slashes from array keys and values.
+ *
+ * @param  array  $array
+ * @return array
+ */
+function array_strip_slashes($array)
+{
+	foreach($array as $key => $value)
+	{
+		unset($array[$key]);
+
+		$key = stripslashes($key);
+
+		// If the value is an array, we will just recurse back into the
+		// function to keep stripping the slashes out of the array,
+		// otherwise we will set the stripped value.
+		if (is_array($value))
+		{
+			$array[$key] = array_strip_slashes($value);
+		}
+		else
+		{
+			$array[$key] = stripslashes($value);
+		}
+	}
+
+	return $array;
+}
+
+/**
+ * Determine if "Magic Quotes" are enabled on the server.
+ *
+ * @return bool
+ */
+function magic_quotes()
+{
+	return function_exists('get_magic_quotes_gpc') and get_magic_quotes_gpc();
+}
+
 /**
 * Return the first element of an array.
 *

--- a/laravel/laravel.php
+++ b/laravel/laravel.php
@@ -58,6 +58,19 @@ error_reporting(-1);

 ini_set('display_errors', 'Off');

+/**
+ * Even though "Magic Quotes" are deprecated in PHP 5.3, they may
+ * still be enabled on the server. To account for this, we will
+ * strip slashes on all input arrays if magic quotes are turned
+ * on for the server environment.
+ */
+if (magic_quotes())
+{
+	$magic = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
+
+	array_walk($magic, 'array_strip_slashes');	
+}
+
 /**
 * Load the session using the session manager. The payload will
 * be registered in the IoC container as an instance so it can
@@ -99,6 +112,8 @@ switch (Request::method())
 		else
 		{
 			parse_str(file_get_contents('php://input'), $input);
+
+			if (magic_quotes()) $input = array_strip_slashes($input);
 		}
 }

@@ -110,11 +125,6 @@ switch (Request::method())
 */
 unset($input[Request::spoofer]);

-if (function_exists('get_magic_quotes_gpc') and get_magic_quotes_gpc())
-{
-	$input = array_map('stripslashes', $input);	
-}
-
 Input::$input = $input;

 /**