[pmwiki-users] Fourth Post--ZAP bugs

marc gmane at auxbuss.com
Fri Oct 27 05:52:47 CDT 2006 

The Editor said...
> Hi List,
> 
> I am about ready to pull my hair out.  This bug has got to be staring
> me in the face.
> 
> When the post is submitted, the very first thing ZAP does after
> authenticating the form and setting a few variables, is clean the post
> from potentially harmful stuff.  I use these lines:
> 
> 	foreach ($_POST as $field => $value) {
> 			if (get_magic_quotes_gpc()) $_POST[$field] = stripslashes($value);
> 			$_POST[$field] = preg_replace('/\\(:/', '(:', $value);
> 			$_POST[$field] = preg_replace('/\\{(\\w+)\\}/e', "\$_POST[$1]", $value);
> 			if (is_array($value)) $_POST[$field] = implode(",", $value);
> 			}
> 
> The first line is supposed to strip slashes, the second one disables
> directives, the third is a shortcut that inserts values from one field
> into another, and the fourth converts arrays to a CSV list.
> 
> Lines three and four work perfectly.  Lines one and two are completely
> ignored.  Actually I'd like to change line 2 to both disable
> directives and prevent accidently cutting off data by a smiley!  Now
> that I'm using (:field: var:) format.  But this doesn't work either:
> 
>          preg_replace('/\:\)/', ':)', $value);
> 
> I also tried   $_POST[$field] = stripmagic($value);  for line 1.  No difference.
> 
> I have print_r'd the complete post before and after this snippet.  The
> values are just what I expect going in, and unchanged coming out.
> Where else could the problem be?
> 
> Until this bug is fixed, there is a pretty glaring problem...

Without looking more closely, have you read this from the PHP manual:

Note: Also note that foreach operates on a copy of the specified array 
and not the array itself. Therefore, the array pointer is not modified 
as with the each() construct, and changes to the array element returned 
are not reflected in the original array. However, the internal pointer 
of the original array is advanced with the processing of the array. 
Assuming the foreach loop runs to completion, the array's internal 
pointer will be at the end of the array. 

-- 
Best,
Marc

More information about the pmwiki-users mailing list