Web студия "GrandView"

The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.

Пример 31-1. Disabling magic quotes server side

An example that sets the value of these directives to Off in php.ini. For additional details, read the manual section titled How to change configuration settings.

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

If access to the server configuration is unavailable, use of .htaccess is also an option. For example:

php_flag magic_quotes_gpc Off

In the interest of writing portable code (code that works in any environment), like if setting at the server level is not possible, here's an example to disable magic_quotes_gpc at runtime. This method is inefficient so it's preferred to instead set the appropriate directives elsewhere.

Пример 31-2. Disabling magic quotes at runtime


<?php

if (get_magic_quotes_gpc()) {

    function stripslashes_deep($value)

    {

        $value = is_array($value) ?

                    array_map('stripslashes_deep', $value) :

                    stripslashes($value);



        return $value;

    }



    $_POST = array_map('stripslashes_deep', $_POST);

    $_GET = array_map('stripslashes_deep', $_GET);

    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);

    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);

}

?>

add a note User Contributed Notes
Disabling Magic Quotes

17-Dec-2006 12:20


PHP's magic quotes function has the strange behavior of not adding slashes to top level keys in GPC key/value pairs but adding the slashes in deeper level keys. To demonstrate, a URI of:



example.php?a'b[c'd]=e'f

produces:

array("a'b" => array("c\'d" => "e\'f"))



The current example for removing magic quotes does not do anything to keys, so after running stripslashes_deep, you would end up with:

array("a'b" => array("c\'d" => "e'f"))



Which, needless to say, is wrong. As if you had magic quotes off, it would have been:

array("a'b" => array("c'd" => "e'f"))



I have written a snippet of code compatible with PHP 4.0.0 and above that handles this correctly:



if (get_magic_quotes_gpc()) {

    function undoMagicQuotes($array, $topLevel=true) {

        $newArray = array();

        foreach($array as $key => $value) {

            if (!$topLevel) {

                $key = stripslashes($key);

            }

            if (is_array($value)) {

                $newArray[$key] = undoMagicQuotes($value, false);

            }

            else {

                $newArray[$key] = stripslashes($value);

            }

        }

        return $newArray;

    }

    $_GET = undoMagicQuotes($_GET);

    $_POST = undoMagicQuotes($_POST);

    $_COOKIE = undoMagicQuotes($_COOKIE);

    $_REQUEST = undoMagicQuotes($_REQUEST);

}

sunrunner20
24-Nov-2006 07:10


If php_flag magic_quotes_gpc off does not work

Use php_value magic_quotes_gpc off

insteadin your .htaccess file

rdk
08-Sep-2006 11:44


The function parse_str() (http://us3.php.net/manual/en/function.parse-str.php) is also affected by magic_quotes_gpc, so if that function is called anywhere, stripslashes_deep won't be sufficient by itself.

dedlfix
20-Aug-2006 05:18


The function stripslashes_deep() ignores slashes in the keys



For example a query string like this: ?foo'bar=baz'bal



Output of var_dump($_GET) is:



array(1) {

  ["foo\'bar"]=>

  string(8) "baz\'bal"

}



after stripslashes_deep():



array(1) {

  ["foo\'bar"]=>

  string(7) "baz'bal"

}



If you want the keys to be stripslashed too, you have to unset() the addslahed key and to add a stripslashed version. But keep in mind that this will change the order of the array.

add a note