Page 1 of 1
magic_quotes_gpc
Posted: Thu Aug 25, 2005 3:37 am
by Ree
Can I always safely use ini_set() to have magic_quotes_gpc off in all my scripts instead of messing with various corrections depending on magic_quotes_gpc being on or off in php.ini?
EDIT: hmm, it seems you can't switch magic_quotes_gpc on/off during runtime. A pity

Posted: Thu Aug 25, 2005 4:41 am
by Roja
it seems you can't switch magic_quotes_gpc on/off during runtime
huh ?
Code: Select all
if (get_magic_quotes_gpc())
{
ini_set ('magic_quotes_gpc', 0);
}
...
ini_set ('magic_quotes_sybase', 0);
set_magic_quotes_runtime (0);
Posted: Thu Aug 25, 2005 5:11 am
by raghavan20
I have seen most of the ppl dont really switch magic quotes instead if they find magic quotes is on, use mysql_real_escape_string to quote the inputs for the sql string.
ex:
Code: Select all
function quoteStrings($str){
if(get_magic_quotes_gpc()){
$str = stripslashes($str);//strip existing slashes when magic quotes is on
}
$str = mysql_real_escape_string();//escape the string anyhow
}
Posted: Thu Aug 25, 2005 5:29 am
by Syranide
Well that is wrong-wrong.
This is the way it should be done:
Code: Select all
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
Do note that there are differences in how they are escaped depending on their level... so, just escaping a value gotten from $_REQUEST will not have the desired effect in all situations.
Posted: Thu Aug 25, 2005 5:36 am
by Ree
Roja wrote: it seems you can't switch magic_quotes_gpc on/off during runtime
huh ?
The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.
http://www.php.net/manual/en/security.m ... abling.php
Posted: Thu Aug 25, 2005 6:00 am
by raghavan20
hi syranide,
I dont really understand wot you are doing?
how is it also possible to include a function inside a if block?

Posted: Thu Aug 25, 2005 6:31 am
by Roja
If so, why is there a function that does exactly that?
set_magic_quotes_runtime -- Sets the current active configuration setting of magic_quotes_runtime
http://www.php.net/manual/en/function.s ... untime.php
Posted: Thu Aug 25, 2005 7:24 am
by Ree
I think your function works for generated data, but not for incomming data such as $_POST, $_GET.
Posted: Thu Aug 25, 2005 9:17 am
by Syranide
Because that is another "magic quotes" thingy, so to speak.
I'm not really all into it, all I know is that, if you don't want to have $_GET etc quoted you should use the method I wrote up there.
And to, uhm, and, however asked, it is possible to have functions inside of scopes, strange yes, quite nifty sometimes however as it allows you to define functions if they don't exist, define the same function with different properties depending on the environment and so on.
Posted: Thu Aug 25, 2005 10:54 am
by Stewsburntmonkey
Yeah, by the time the script is called magic_quotes has already done its stuff to the $_POST, $_GET arrays and such.

Posted: Thu Aug 25, 2005 10:58 am
by nielsene
yeah, the "runtime" version of magic quotes deal with data coming from DB's or other sources, not from the $_REQUETS type sources.