Require that magic_quotes is OFF.

2010-04-18 22:40:07 +00:00 · 2010-04-18 22:40:07 +00:00 · 530788e1c5
commit 530788e1c5
parent 5e9ee05606
1 changed files with 23 additions and 0 deletions
--- a/common.inc.php
+++ b/common.inc.php
@ -169,6 +169,29 @@ if($dbcodeversion!=$dbdbversion)
 	exit;
 }

+/* Check that magic_quotes is OFF */
+if(get_magic_quotes_gpc()) {
+?>
+	<html><head><title>SFIAB ERROR</title></head><body>
+	<h1>Science Fair In A Box - ERROR</h1>
+	<p>Your PHP configuration has magic_quotes ENABLED.  They should be
+	disabled, and are disabled in the .htaccess file, so your server is
+	ignoring the .htaccess file or overriding it.
+	<p>Magic quotes is DEPRECATED as of PHP 5.3.0, REMOVE as of 6.0, but ON
+	by default for any PHP &lt; 5.3.0.  
+	<p>It's a pain in the butt because PHP runs urldecode() on all inputs 
+	from GET and POST, but if it sees the string has quotes, then it escapes
+	existing quotes before passing it to us.  This is a problem for json_decode
+	where we do not want this behaviour, and thus need to pass through stripslashes()
+	first, but only if magicquotes is ON.  If it's off, stripslashes will
+	break json_decode.
+	<p>Add <pre>php_flag magic_quotes_gpc off</pre> to the .htacces, or add
+	<pre>php_flag magic_quotes_gpc=off</pre> to php.ini
+
+	<br></body></html>
+<?
+	exit;
+}

 //now pull the rest of the configuration
 $q=mysql_query("SELECT * FROM config WHERE year='".$config['FAIRYEAR']."'");