From 530788e1c5d8fc545a7eaff18b3939a090ed8249 Mon Sep 17 00:00:00 2001
From: dave <dave>
Date: Sun, 18 Apr 2010 22:40:07 +0000
Subject: [PATCH] Require that magic_quotes is OFF.

---
 common.inc.php | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/common.inc.php b/common.inc.php
index fd6ff10..242c584 100644
--- a/common.inc.php
+++ b/common.inc.php
@@ -169,6 +169,29 @@ if($dbcodeversion!=$dbdbversion)
 	exit;
 }
 
+/* Check that magic_quotes is OFF */
+if(get_magic_quotes_gpc()) {
+?>
+	<html><head><title>SFIAB ERROR</title></head><body>
+	<h1>Science Fair In A Box - ERROR</h1>
+	<p>Your PHP configuration has magic_quotes ENABLED.  They should be
+	disabled, and are disabled in the .htaccess file, so your server is
+	ignoring the .htaccess file or overriding it.
+	<p>Magic quotes is DEPRECATED as of PHP 5.3.0, REMOVE as of 6.0, but ON
+	by default for any PHP &lt; 5.3.0.  
+	<p>It's a pain in the butt because PHP runs urldecode() on all inputs 
+	from GET and POST, but if it sees the string has quotes, then it escapes
+	existing quotes before passing it to us.  This is a problem for json_decode
+	where we do not want this behaviour, and thus need to pass through stripslashes()
+	first, but only if magicquotes is ON.  If it's off, stripslashes will
+	break json_decode.
+	<p>Add <pre>php_flag magic_quotes_gpc off</pre> to the .htacces, or add
+	<pre>php_flag magic_quotes_gpc=off</pre> to php.ini
+
+	<br></body></html>
+<?
+	exit;
+}
 
 //now pull the rest of the configuration
 $q=mysql_query("SELECT * FROM config WHERE year='".$config['FAIRYEAR']."'");