Fixed slash quotation problems on direct POST var reuse.

[fa-stable.git] / includes / session.inc

diff --git a/includes/session.inc b/includes/session.inc
index 9089c693111ead3c2a6a29688c74afb378ddfae4..0e7d31138d0d35d32eb9e774fad08fcddc5584fe 100644 (file)
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -108,6 +108,23 @@
                }
        }
 
+       //-----------------------------------------------------------------------------
+       //      Removing magic quotes from nested arrays/variables
+       //
+       function strip_quotes($data)
+       {
+               if(get_magic_quotes_gpc()) {
+                       if(is_array($data)) {
+                               foreach($data as $k => $v) {
+                                       $data[$k] = strip_quotes($data[$k]);
+                               }
+                       } else
+                               return stripslashes($data);
+               }
+               return $data;
+       }
+
+
        //----------------------------------------------------------------------------------------
        if (!isset($_SESSION["wa_current_user"]) ||
                (isset($_SESSION["wa_current_user"]) && !$_SESSION["wa_current_user"]->logged_in()))
@@ -154,6 +171,8 @@
 
        check_page_security($page_security);
 
-
+// POST vars cleanup needed for direct reuse.
+// We quote all values later with db_escape() before db update.
+       $_POST = strip_quotes($_POST);
 
 ?>
\ No newline at end of file