Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-30480

Dirty magic quotes hack uses hazardous and deprecated casting object

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 1.9.14
    • 1.9.15
    • Libraries

    Description

      Dirty magic quotes hack (MDL-29033) added this code in lib/dmllib.php (lines :1467 and 1648):

      /// Extra protection against SQL injections
      foreach((array)$dataobject as $k=>$v) {
      $dataobject->$k = sql_magic_quotes_hack($v);
      }

      Casting object to array is very hazardous in PHP and deprecated (http://www.php.net/manual/en/language.types.array.php#language.types.array.casting).

      We have patched dmllib to use "get_object_vars" PHP function and not direct casting :

      /// Extra protection against SQL injections
      $dataobject_array = get_object_vars($dataobject);
      foreach($dataobject_array as $k=>$v)

      { $dataobject->$k = sql_magic_quotes_hack($v); }

      MDL-29033 was about Moodle 1.9.14 only. I did not found this code in /lib/dmllib.php file of my Moodle 2.1.2 ...

      Attachments

        Issue Links

          Activity

            People

              skodak Petr Skoda
              pmaury pmaury
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Raquel Ortega, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                28/Nov/11