On $modSettings['integrate_magic_quotes'] May 13, 2013, 05:51:46 am Just a quick bunch of thoughts that bug me.$modSettings['integrate_magic_quotes'] is used in QueryString.php, cleanRequest(). It's afaict, the only occurrence which needs database loaded, before executing cleanRequest().I want to reverse the order of execution. For security reasons, and because frankly it doesn't quite make much sense, to not be able to cleanup the URL without loading database first.https://github.com/elkarte/Elkarte/blob/master/sources/QueryString.php#L92This is even deprecated from PHP. But can you think of something I am missing here? Is this setting really used? Is there a scenario - PHP versions, bugs, security holes to fill manually (ah the joy) - where you really need to set up such option for your site? And if there is, can't do it otherwise than in db?If we rework cleanRequest() without this, we'd be able to do it before the database is loaded. I see that as a big gain. (it'd have saved some security issues in SMF we had, because the db init code was executed while a bunch of $_GLOBALS were still uncleaned).Thoughts?
Re: On $modSettings['integrate_magic_quotes'] Reply #1 – May 13, 2013, 09:34:43 am Never heard of this one.. A quick search on the SMF site returned this nice post from Arantor Arantor's post is for 2.0 RC3, so that hook was probably related to a bridge.http://www.simplemachines.org/community/index.php?topic=371860.msg2548249#msg2548249Maybe it was a needed feature (or just an implemented idea) for a specific bridge (at least the old bridges from Orstio don't use it) ?!?
Re: On $modSettings['integrate_magic_quotes'] Reply #2 – May 13, 2013, 09:48:17 am Orstio added it just in case a bridge ever needed to rely on certain magic quotes behaviour, i.e. a system that demanded magic quotes be on rather than the far more sane 'off'. But I don't think it's ever been used.
Re: On $modSettings['integrate_magic_quotes'] Reply #3 – May 13, 2013, 01:16:03 pm Remove it. Remove everything to do with magic quotes and demand/require they be turned off . Check that in the install.
Re: On $modSettings['integrate_magic_quotes'] Reply #4 – May 13, 2013, 01:35:05 pm In PHP 5.4 it's gone entirely anyway, so yes, it should be removed.