Overcoming magic_quotes_gpc

PHP offers a feature called magic_quotes_gpc.  What this does is it takes all GET, POST, and COOKIE variables and applies a partial escaping to them.  Unfortunately, the escaping that it does is not good enough to pass the result directly to MySQL.  Further, when you run mysql_real_escape_string on the values, it will redo the escaping that magic_quotes_gpc did as well as the escaping that magic_quotes_gpc missed.  For this reason, it is preferred for magic_quotes_gpc to be off. However, some hosts still use it, as it is on by default. 

When magic_quotes_gpc is on with an osCommerce 3 installation, it can cause a weird looking error when editing a product with quotes or backslashes in the name or description.  Each time you edit and save, it adds backslashes before all quotes and backslashes.  Thus what starts as ” becomes \” and then \\\”, \\\\\\\”, and so forth.  This is covered in osCommerce bug report 1010.  I verified the issue and created a patch for it: 

  if ( ( function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc() )

    || ( ini_get('magic_quotes_sybase') && ( strtolower(ini_get('magic_quotes_sybase')) != "off" ) )

     )

  {

    function osc_stripslashes_callback(&$value, $key) {

      $value = stripslashes($value);

    }

    array_walk_recursive($_GET, 'osc_stripslashes_callback');

    array_walk_recursive($_POST, 'osc_stripslashes_callback');

    array_walk_recursive($_COOKIE, 'osc_stripslashes_callback');

  } 

What this code does is it checks if get_magic_quotes_gpc is on and if it is, the code undoes it by running stripslashes on all the values in the GET, POST, and COOKIE superglobal arrays (the GPC in get_magic_quotes_gpc).  The code uses array_walk_recursive so that if any of the values are arrays, those get handled as well.  The osc_stripslashes_callback function is created because stripslashes does not have the correct method signature to be called from array_walk_recursive. 

It’s possible that the code still does not handle magic_quotes_sybase correctly.  It may be that stripslashes does not cover the sybase change.  If so, then it should be relatively simple to change the code to properly cover the sybase case. 

I was browsing the osCommerce issue tracker recently and came across a request for an email templating system.  This is an interesting concept.  I looked at it a bit, and noticed that there were two issues.  The first issue is that the email layout is currently hard coded in includes/classes/order.php (as reported in that feature [...]

I’m releasing a new osCommerce add on, Checkout Redux.  Checkout Redux is a play on the phrases “checkout redone” and “checkout reduced”.  I started with the desire to do something that I meant to do five years ago, which is write a PayPal IPN contribution that worked for me.  The problem that I have with [...]

I use a WordPress plugin called the Developer Formatter to display code blocks. In general, it works well for me, but I recently went to check the W3C HTML Validator and was getting a large number of errors.  Working through them, there were four things that the validator did not like about the plugin output:  [...]

By default, if you configure osCommerce to use a particular image size in admin >> Configuration >> Images, it will rescale the image to fit that size.  If the image had a different aspect ratio, it will then appear smushed or distorted.  It’s possible to set up osCommerce such that this does not happen.  You can do so by setting admin >> Configuration >> Images >> Calculate Image Size to true and then change the tep_image function in includes/functions/html_output.php (more…)

Worked through a weird bug the other day.  A gaming computer store has products with lots of attributes — as many as fifty.  Since osCommerce stores the attributes with the product ID, the result is to make the id array that holds the attributes on the shopping cart page have exceptionally large input names.  If the name gets too large (I didn’t test it exactly, but more than two hundred characters was all right and three hundred some broke it), it gets silently dropped.  (more…)

I released a new osCommerce contribution yesterday:  Product Listing on Front Page
(more…)

A situation that was mentioned on the osCommerce forums recently started me thinking.  Currently, if someone has cookies disabled, then the osCsid (the osCommerce session ID) appears in the URL.  If such a person logs in and then emails a link to someone else, the osCsid will be included in that URL (unless they remove [...]

In response to a request on the osCommerce forums, I wrote up a method for changing automatically among drop downs for the various zones and the text input.  The request was made to get it bundled into a contribution, and since there was unfinished work, I went ahead and did it.  The DHTML State Selection [...]

Recently, someone posted in the osCommerce forums looking for a way to upload product images into folders.  I found a post that I made six years ago:  Setting upload image destination in categories.php, Admin change.  Surprisingly, the post was remarkably accurate with the more modern osCommerce RC2a, even the line numbers were only a couple [...]