magic_quotes_gpc

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Ree
Forum Regular
Posts: 592
Joined: Fri Jun 10, 2005 1:43 am
Location: LT

magic_quotes_gpc

Post by Ree »

Can I always safely use ini_set() to have magic_quotes_gpc off in all my scripts instead of messing with various corrections depending on magic_quotes_gpc being on or off in php.ini?

EDIT: hmm, it seems you can't switch magic_quotes_gpc on/off during runtime. A pity :roll:
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

it seems you can't switch magic_quotes_gpc on/off during runtime
huh ?

Code: Select all

if (get_magic_quotes_gpc())
        {
            ini_set ('magic_quotes_gpc', 0);
        }
...
        ini_set ('magic_quotes_sybase', 0);
        set_magic_quotes_runtime (0);
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

I have seen most of the ppl dont really switch magic quotes instead if they find magic quotes is on, use mysql_real_escape_string to quote the inputs for the sql string.
ex:

Code: Select all

function quoteStrings($str){
	if(get_magic_quotes_gpc()){
		$str = stripslashes($str);//strip existing slashes when magic quotes is on
	}
	$str = mysql_real_escape_string();//escape the string anyhow
}
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

Well that is wrong-wrong.
This is the way it should be done:

Code: Select all

if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }

    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
Do note that there are differences in how they are escaped depending on their level... so, just escaping a value gotten from $_REQUEST will not have the desired effect in all situations.
Ree
Forum Regular
Posts: 592
Joined: Fri Jun 10, 2005 1:43 am
Location: LT

Post by Ree »

Roja wrote:
it seems you can't switch magic_quotes_gpc on/off during runtime
huh ?
The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.
http://www.php.net/manual/en/security.m ... abling.php
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

hi syranide,
I dont really understand wot you are doing?
how is it also possible to include a function inside a if block? :roll:
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Ree wrote:
The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.
http://www.php.net/manual/en/security.m ... abling.php
If so, why is there a function that does exactly that?
set_magic_quotes_runtime -- Sets the current active configuration setting of magic_quotes_runtime
http://www.php.net/manual/en/function.s ... untime.php
Ree
Forum Regular
Posts: 592
Joined: Fri Jun 10, 2005 1:43 am
Location: LT

Post by Ree »

I think your function works for generated data, but not for incomming data such as $_POST, $_GET.
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

Roja wrote: If so, why is there a function that does exactly that?
set_magic_quotes_runtime -- Sets the current active configuration setting of magic_quotes_runtime
http://www.php.net/manual/en/function.s ... untime.php
Because that is another "magic quotes" thingy, so to speak.
I'm not really all into it, all I know is that, if you don't want to have $_GET etc quoted you should use the method I wrote up there.

And to, uhm, and, however asked, it is possible to have functions inside of scopes, strange yes, quite nifty sometimes however as it allows you to define functions if they don't exist, define the same function with different properties depending on the environment and so on.
Stewsburntmonkey
Forum Commoner
Posts: 44
Joined: Wed Aug 24, 2005 2:09 pm

Post by Stewsburntmonkey »

Yeah, by the time the script is called magic_quotes has already done its stuff to the $_POST, $_GET arrays and such. :)
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

yeah, the "runtime" version of magic quotes deal with data coming from DB's or other sources, not from the $_REQUETS type sources.
Post Reply