These are the top lines in my init-script. Most of it I got from PHPBB2, I compared it with PHP3 a while ago, they reformatted it a bit, but most functionality is the same
[code]// Report all errors except E_NOTICE
error_reporting (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
error_reporting (E_ALL); //for debugging, COMMENT THIS LINE OUT WHEN LIVE
set_magic_quotes_runtime(0); // Disable magic_quotes_runtime
// Protect against GLOBALS tricks
if (isset($HTTP_POST_VARS['GLOBALS']) || isset($HTTP_POST_FILES['GLOBALS']) || isset($HTTP_GET_VARS['GLOBALS']) || isset($HTTP_COOKIE_VARS['GLOBALS']))
{
die('Houston, we\'ve got an problem');
}
// Protect against HTTP_SESSION_VARS tricks
if (isset($_SESSION) && !is_array($_SESSION))
{
die('Houston, we\'ve got an problem');
}
if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on')
{
// PHP4+ path
$not_unset = array('$_GET', '$_POST', '$_COOKIE', '$_SERVER', '$_SESSION', '$_ENV', '$_POST');
// Not only will array_merge give a warning if a parameter
// is not an array, it will actually fail. So we check if
// HTTP_SESSION_VARS has been initialised.
if (!isset($_SESSION) || !is_array($_SESSION))
{
$_SESSION = array();
}
// Merge all into one extremely huge array; unset
// this later
$input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_SESSION, $_ENV, $_POST);
unset($input['input']);
unset($input['not_unset']);
while (list($var,) = @each($input))
{
if (!in_array($var, $not_unset))
{
unset($$var);
}
}
unset($input);
}
// addslashes to vars if magic_quotes_gpc is off
// this is a security precaution to prevent someone
// trying to break out of a SQL statement.
$get_magic_quotes_gpc = get_magic_quotes_gpc();
if ( ! get_magic_quotes_gpc() )
{
if ( is_array($_GET) ) //get_vars = page.php?var1=value&var2=value
{
foreach ( $_GET as $key => $value )
{
if ( is_array($key) )
{
foreach ( $key as $key2 => $value2 )
{
$_GET[$key][$key2] = addslashes($value2);
}
@reset($key);
}
else
{
//$key = addslashes($value);
$_GET[$key] = addslashes($value);
}
}
@reset($_GET);
}
if ( is_array($_POST) )
{
foreach ( $_POST as $key => $value )
{
if ( is_array($key) )
{
foreach ( $key as $key2 => $value2 )
{
$_POST[$key][$key2] = addslashes($value2);
}
@reset($key);
}
else
{
//$key = addslashes($value);
$_POST[$key] = addslashes($value);
}
}
@reset($_POST);
}
if ( is_array($_COOKIE) ) //through form
{
foreach ( $_COOKIE as $key => $value )
{
if ( is_array($key) )
{
foreach ( $key as $keyu2 => $value2 )
{
$_COOKIE[$key][$key2] = addslashes($value2);
}
@reset($key);
}
else
{
$key = addslashes($value);
}
}
@reset($_COOKIE);
}
}[/code]
the last part ensures that all $_GET, $_POST and $_COOKIE variables have slashes. In my scripts I never have to worry about them
(except when echo-ing $_GET or $_POST values, you'll have to remove the slashes first ofcourse.