/** * Utility function to "clean" the passed $config. Cleaning consists of two parts: * * Suppressing really simple XSS attacks by refusing to allow strings * containing the characters "<script" in upper, lower or mixed case. * * Unescaping instances of "'" and '"' that have been escaped by the * lovely magic_quotes_gpc facility, if it's on. * * @param $config mixed thing to be cleaned. * @return a cleaned version of $config. */ function config_clean($config) { if (is_array($config)) { foreach ($config as &$item) { $item = config_clean($item); } } elseif (is_string($config)) { if (strpos(strtolower($config), "<script") !== false) { $config = ''; } if (get_magic_quotes_gpc()) { $config = stripslashes($config); } } return $config; }
/** * Store a plugin's configuration in the database. * * Serializes the $config parameter and stores in the config * and config_json columns of the plugins table. * <code> * <?php * $plugin_config['a'] = 1; * $plugin_config['b'] = 2; * set_plugin_config('myplugin', $plugin_config); * ?> * </code> * * @param string $plugin_name Plugin name * @param mixed $config Configuration variable to store. * @see get_plugin_config */ function set_plugin_config($plugin_name, $config) { global $db, $use_mysqli, $mysql_charset; $config = config_clean($config); $config_ser_bin = base64_encode(serialize($config)); $config_ser_json = config_json_encode($config); if (!isset($mysql_charset)) { $config_ser_json = iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $config_ser_json); } if ($use_mysqli) { $config_ser_json = mysqli_real_escape_string($db,$config_ser_json); } else { $config_ser_json = mysql_real_escape_string($config_ser_json); } sql_query("UPDATE plugins SET config='$config_ser_bin', config_json='$config_ser_json' WHERE name='$plugin_name'"); return true; }