Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-30480

Dirty magic quotes hack uses hazardous and deprecated casting object

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 1.9.15
    • 1.9.14
    • Libraries

      Dirty magic quotes hack (MDL-29033) added this code in lib/dmllib.php (lines :1467 and 1648):

      /// Extra protection against SQL injections
      foreach((array)$dataobject as $k=>$v) {
      $dataobject->$k = sql_magic_quotes_hack($v);
      }

      Casting object to array is very hazardous in PHP and deprecated (http://www.php.net/manual/en/language.types.array.php#language.types.array.casting).

      We have patched dmllib to use "get_object_vars" PHP function and not direct casting :

      /// Extra protection against SQL injections
      $dataobject_array = get_object_vars($dataobject);
      foreach($dataobject_array as $k=>$v)

      { $dataobject->$k = sql_magic_quotes_hack($v); }

      MDL-29033 was about Moodle 1.9.14 only. I did not found this code in /lib/dmllib.php file of my Moodle 2.1.2 ...

        1. dmllib-object-to-array.patch
          0.7 kB

            skodak Petr Skoda
            pmaury pmaury
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.