Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg



PHP : Security : Magic Quotes : Disabling Magic Quotes

Disabling Magic Quotes

The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.

Example 10.1. Disabling magic quotes server side

An example that sets the value of these directives to Off in php.ini. For additional details, read the manual section titled How to change configuration settings.

copy to clipboard
; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

If access to the server configuration is unavailable, use of .htaccess is also an option. For example:

copy to clipboard
php_flag magic_quotes_gpc Off


In the interest of writing portable code (code that works in any environment), like if setting at the server level is not possible, here's an example to disable magic_quotes_gpc at runtime. This method is inefficient so it's preferred to instead set the appropriate directives elsewhere.

Example 10.2. Disabling magic quotes at runtime

copy to clipboard
<?php
if (get_magic_quotes_gpc()) {
   function stripslashes_deep($value)
   {
       $value = is_array($value) ?
                   array_map('stripslashes_deep', $value) :
                   stripslashes($value);

       return $value;
   }

   $_POST = array_map('stripslashes_deep', $_POST);
   $_GET = array_map('stripslashes_deep', $_GET);
   $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
   $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
?>


Code Examples / Notes » security.magicquotes.disabling

dedlfix
The function stripslashes_deep() ignores slashes in the keys
For example a query string like this: ?foo'bar=baz'bal
Output of var_dump($_GET) is:
array(1) {
 ["foo\'bar"]=>
 string(8) "baz\'bal"
}
after stripslashes_deep():
array(1) {
 ["foo\'bar"]=>
 string(7) "baz'bal"
}
If you want the keys to be stripslashed too, you have to unset() the addslahed key and to add a stripslashed version. But keep in mind that this will change the order of the array.

rdk
The function parse_str() (http://us3.php.net/manual/en/function.parse-str.php) is also affected by magic_quotes_gpc, so if that function is called anywhere, stripslashes_deep won't be sufficient by itself.

17-dec-2006 08:20
PHP's magic quotes function has the strange behavior of not adding slashes to top level keys in GPC key/value pairs but adding the slashes in deeper level keys. To demonstrate, a URI of:
example.php?a'b[c'd]=e'f
produces:
array("a'b" => array("c\'d" => "e\'f"))
The current example for removing magic quotes does not do anything to keys, so after running stripslashes_deep, you would end up with:
array("a'b" => array("c\'d" => "e'f"))
Which, needless to say, is wrong. As if you had magic quotes off, it would have been:
array("a'b" => array("c'd" => "e'f"))
I have written a snippet of code compatible with PHP 4.0.0 and above that handles this correctly:
if (get_magic_quotes_gpc()) {
function undoMagicQuotes($array, $topLevel=true) {
$newArray = array();
foreach($array as $key => $value) {
if (!$topLevel) {
$key = stripslashes($key);
}
if (is_array($value)) {
$newArray[$key] = undoMagicQuotes($value, false);
}
else {
$newArray[$key] = stripslashes($value);
}
}
return $newArray;
}
$_GET = undoMagicQuotes($_GET);
$_POST = undoMagicQuotes($_POST);
$_COOKIE = undoMagicQuotes($_COOKIE);
$_REQUEST = undoMagicQuotes($_REQUEST);
}

sunrunner20
If php_flag magic_quotes_gpc off does not work
Use php_value magic_quotes_gpc off
insteadin your .htaccess file

Change Language


Follow Navioo On Twitter
What are Magic Quotes
Why use Magic Quotes
Why not to use Magic Quotes
Disabling Magic Quotes
Terms of Service Privacy Policy Sitemap

©2024 -EPSILONSYS SOFTWARE inc

Other EPSILONSYS SOFTWARE Web Sites : Programming Resources | News Headline | Free local classifieds

eXTReMe Tracker