Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-30480

Dirty magic quotes hack uses hazardous and deprecated casting object

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9.14
    • Fix Version/s: 1.9.15
    • Component/s: Libraries
    • Labels:

      Description

      Dirty magic quotes hack (MDL-29033) added this code in lib/dmllib.php (lines :1467 and 1648):

      /// Extra protection against SQL injections
      foreach((array)$dataobject as $k=>$v) {
      $dataobject->$k = sql_magic_quotes_hack($v);
      }

      Casting object to array is very hazardous in PHP and deprecated (http://www.php.net/manual/en/language.types.array.php#language.types.array.casting).

      We have patched dmllib to use "get_object_vars" PHP function and not direct casting :

      /// Extra protection against SQL injections
      $dataobject_array = get_object_vars($dataobject);
      foreach($dataobject_array as $k=>$v)

      { $dataobject->$k = sql_magic_quotes_hack($v); }

      MDL-29033 was about Moodle 1.9.14 only. I did not found this code in /lib/dmllib.php file of my Moodle 2.1.2 ...

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    28/Nov/11