[wp-trac] Re: [WordPress Trac] #7197: With magic_quotes_gpc on you
can't change password to anything with " or ' inside.
WordPress Trac
wp-trac at lists.automattic.com
Fri Aug 15 21:02:25 GMT 2008
#7197: With magic_quotes_gpc on you can't change password to anything with " or '
inside.
--------------------------------------+-------------------------------------
Reporter: sesee | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.9
Component: Administration | Version: 2.5.1
Severity: normal | Resolution:
Keywords: has-patch, needs-testing |
--------------------------------------+-------------------------------------
Changes (by mystyman):
* keywords: => has-patch, needs-testing
Comment:
I'm currently running svn r8647 from Aug 14th.
It appears that you can not use passwords with these characters in it even
with magic_quotes_gpc off.
In wp-settings.php the slashes are already stripped off if
magic_quotes_gpc on, from lines 481 - 485
{{{
if ( get_magic_quotes_gpc() ) {
$_GET = stripslashes_deep($_GET );
$_POST = stripslashes_deep($_POST );
$_COOKIE = stripslashes_deep($_COOKIE);
}
}}}
However just after that slashes are added back in all cases
(magic_quotes_gpc on or off)
{{{
$_GET = add_magic_quotes($_GET );
$_POST = add_magic_quotes($_POST );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);
}}}
add_magic_quotes just calls function $wpdb->escape which at this time just
calls the php function addslashes
I am uploading a patch that alters the add_magic_quotes function to have a
second optional arg 'donottouch' array which hold the names of keys to NOT
apply $wpdb->escape too. Currently I'm using array('pwd','pass1','pass2')
when setting the $_POST var in wp-settings.
--
Ticket URL: <http://trac.wordpress.org/ticket/7197#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list