EDIT: hmm, it seems you can't switch magic_quotes_gpc on/off during runtime. A pity
magic_quotes_gpc
Moderator: General Moderators
magic_quotes_gpc
Can I always safely use ini_set() to have magic_quotes_gpc off in all my scripts instead of messing with various corrections depending on magic_quotes_gpc being on or off in php.ini?
EDIT: hmm, it seems you can't switch magic_quotes_gpc on/off during runtime. A pity
EDIT: hmm, it seems you can't switch magic_quotes_gpc on/off during runtime. A pity
huh ?it seems you can't switch magic_quotes_gpc on/off during runtime
Code: Select all
if (get_magic_quotes_gpc())
{
ini_set ('magic_quotes_gpc', 0);
}
...
ini_set ('magic_quotes_sybase', 0);
set_magic_quotes_runtime (0);- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
I have seen most of the ppl dont really switch magic quotes instead if they find magic quotes is on, use mysql_real_escape_string to quote the inputs for the sql string.
ex:
ex:
Code: Select all
function quoteStrings($str){
if(get_magic_quotes_gpc()){
$str = stripslashes($str);//strip existing slashes when magic quotes is on
}
$str = mysql_real_escape_string();//escape the string anyhow
}Well that is wrong-wrong.
This is the way it should be done:
Do note that there are differences in how they are escaped depending on their level... so, just escaping a value gotten from $_REQUEST will not have the desired effect in all situations.
This is the way it should be done:
Code: Select all
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}Roja wrote:huh ?it seems you can't switch magic_quotes_gpc on/off during runtime
http://www.php.net/manual/en/security.m ... abling.phpThe magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
If so, why is there a function that does exactly that?Ree wrote:http://www.php.net/manual/en/security.m ... abling.phpThe magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.
http://www.php.net/manual/en/function.s ... untime.phpset_magic_quotes_runtime -- Sets the current active configuration setting of magic_quotes_runtime
Because that is another "magic quotes" thingy, so to speak.Roja wrote: If so, why is there a function that does exactly that?
http://www.php.net/manual/en/function.s ... untime.phpset_magic_quotes_runtime -- Sets the current active configuration setting of magic_quotes_runtime
I'm not really all into it, all I know is that, if you don't want to have $_GET etc quoted you should use the method I wrote up there.
And to, uhm, and, however asked, it is possible to have functions inside of scopes, strange yes, quite nifty sometimes however as it allows you to define functions if they don't exist, define the same function with different properties depending on the environment and so on.
-
Stewsburntmonkey
- Forum Commoner
- Posts: 44
- Joined: Wed Aug 24, 2005 2:09 pm