WebCalendar without magic quotes gpc

From WebCalendar Wiki

Jump to: navigation, search

The following steps worked for me to get WebCalendar 1.0.2 up and running on Apache 1.3.33 with PHP 4.3 running as a CGI, with magic_quotes_gpc turned off. This requires editing PHP code.

This was done on an install using Oracle database. The change to config.php may be enough to get a similar setup running on MySQL; however, since Oracle doesn't escape quotes with backslashes, but instead with another quote, I had to do the extra step described at the end.

Install WebCalendar per the directions. When you first try to access the front page to log in, you'll get an error saying you must have magic_quotes_gpc turned on.

Open the file includes/config.php. Around line 282 you should see this: 

if ( get_magic_quotes_gpc () == 0 ) {

I have replaced that if{} block with the following code: 

if ( get_magic_quotes_gpc () == 0 ) {
  /**
  Mimic magic_quotes_gpc by using addslashes() on all GET, POST, COOKIE data.
  This will only work if this file remains included before functions.php  where 
  this data will be extracted into the global variable space.  
  (see functions.php lines 88 thru 143)
  */
  unset($HTTP_GET_VARS);
  unset($HTTP_POST_VARS);
  unset($HTTP_COOKIE_VARS);
  
  $tmp = $_GET;
  foreach ($tmp as $key=>$value)
    $_GET[$key] = my_addslashes($value);
  
  $tmp = $_POST;
  foreach ($tmp as $key=>$value)
    $_POST[$key] = my_addslashes($value);
  
  $tmp = $_COOKIE;
  foreach ($tmp as $key=>$value)
    $_COOKIE[$key] = my_addslashes($value);
} 

function my_addslashes($mixed) {
  if (is_scalar($mixed)) {
    return addslashes($mixed);
  } else if (is_array($mixed)) {
    $tmp = $mixed;
    foreach ($tmp as $key=>$value) {
      $mixed[$key] = my_addslashes($value);
    }
    return $mixed;
  } else {
    die_miserable_death ("Not configured to mimic magic_quotes_gpc on entities of this type: ".gettype($mixed));
  }
}

[edit] Oracle

The rest of this article pertains to Oracle only...

To appease Oracle's method of escaping single-quotes in input, I had to edit includes/php-dbi.php with the following (sub-optimal) hack. In the function dbi_query() you should find this line: 

else if ( $GLOBALS["db_type"] == "oracle" ) {

This is the code to parse and execute the pre-built sql query. Unfortunately the query is already put together in final form, making it difficult to extract each individual single-quoted value. Instead I decided to merely replace backslash-escaped single quotes with Oracle-style escaping; and remove slashes from double quotes.

Replace the else if {} block beginning with the above line, with this: 

else if ( $GLOBALS["db_type"] == "oracle" ) {
   $sql = str_replace(
       array("\\'", '\"', "\\\\"), 
       array("", '"', "\\"), 
       $sql);
   $GLOBALS["oracle_statement"] =
     OCIParse ( $GLOBALS["oracle_connection"], $sql );
   if (!$GLOBALS["oracle_statement"]) {
     die_miserable_death("Failed to parse query:
$sql");
   }
   return OCIExecute ( $GLOBALS["oracle_statement"],
     OCI_COMMIT_ON_SUCCESS );
 }

NOTE: this leaves some bugs, probably ones I haven't thought of yet, but one that I know of is that the query will FAIL if the final character of one of the inputted values is a backslash.

Retrieved from "http://www.k5n.us/wiki/index.php?title=WebCalendar_without_magic_quotes_gpc"
Personal tools