Hi,
We created a script to create and update courses in Moodle. The script makes use of the Moodle API.
Since Moodle 1.9.14 which include MDL-29033, dirty magic quotes hack the script crashes.
We found that the problem comes from code in lib/dmllib.php (lines :1467 and 1648):
/// Extra protection against SQL injections
foreach((array)$dataobject as $k=>$v) {
$dataobject->$k = sql_magic_quotes_hack($v);
}
In our script we use private methods and properties in the course and user object. When our object gets in the database the new "magic quotes hack" fails to convert it to array. Casting object to array is very hazardous in PHP and deprecated (http://www.php.net/manual/en/language.types.array.php#language.types.array.casting).
We have patched dmllib to use "get_object_vars" PHP function and not direct casting. This way private properties and methods are handeled correctly.
/// Extra protection against SQL injections
$dataobject_array = get_object_vars($dataobject);
foreach($dataobject_array as $k=>$v) {
$dataobject->$k = sql_magic_quotes_hack($v);
}
What do you think about that ?
NB : I can not access to the MDL-29033 page : I got the message "Permission Violation". So I posted my comment here but maybe it is not the better place ?
We found the link to the MDL-29033 page here : http://moodle.org/security/
Pascal