9

I'm writing a set of PHP scripts that'll be run in some different setups, some of them shared hosting with magic quotes on (the horror). Without the ability to control PHP or Apache configuration, can I do anything in my scripts to disable PHP quotes at runtime?

It'd be better if the code didn't assume magic quotes are on, so that I can use the same scripts on different hosts that might or might not have magic quotes.

Adam Acheron
  • 93
  • 1
  • 1
  • 4

5 Answers5

15

Only magic_quoted_runtime can be disabled at runtime. But magic_quotes_gpc can’t be disabled at runtime (PHP_INI_ALL changable until PHP 4.2.3, since then PHP_INI_PERDIR); you can only remove them:

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

For further information see Disabling Magic Quotes.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • 2
    I really think this code should also `ini_set('magic_quotes_gpc', false);` in order to prevent another library that was also concerned about striping input values from removing them again. – gnarf Dec 16 '10 at 22:21
  • 1
    @gnarf: That would be sweet but unfortunately it doesn't work that way, if you try `ini_set('magic_quotes_gpc', 0)` you will get `false` every time since this is only doable in `PHP_INI_PERDIR`. – Alix Axel Apr 21 '11 at 19:50
  • what about if you want some slashes to remain ... such as content entered into a form that includes a fraction: 4/5 ... stripslashes would remove it – dsdsdsdsd Jul 02 '14 at 20:39
  • @dsdsdsdsd `stripslashes` removes backslashes. – Gumbo Jul 03 '14 at 04:10
  • oops ... bad example on my part ... but my point is still good: there may be times when you have intentional backslashes that you don't want stripped out – dsdsdsdsd Jul 03 '14 at 11:51
  • You would only remove the backslashes if they would be added by magic quotes. That's why the code uses `get_magic_quotes_gpc`. – Gumbo Jul 03 '14 at 11:53
  • yep. Magic quotes can only be disabled at system level, NOT at runtime. use stripslashes, as and when needed if you dont have access to php.ini file. Most shared servers I worked all have magic quotes off. Mostly old servers have them on. Oh well. – A H Bensiali Jul 18 '16 at 09:58
5

Magic quotes cannot be disabled at runtime, but you can use a .htaccess file in the directory to disable it.

php_flag magic_quotes_gpc off

The only real advantage this has is you can put it once in a directory and it works for the whole directory and subdirectories. Really nice if you need this for an application you didn't write and need to get it to work without magic quotes.

MacAnthony
  • 4,471
  • 2
  • 23
  • 26
2

I have a little script for this similar to Gumbo's (but of course I like mine better :):

if(function_exists('get_magic_quotes_runtime') && get_magic_quotes_runtime())
    set_magic_quotes_runtime(false);

if(get_magic_quotes_gpc()) {
    array_stripslashes($_POST);
    array_stripslashes($_GET);
    array_stripslashes($_COOKIES);
}

function array_stripslashes(&$array) {
    if(is_array($array))
        while(list($key) = each($array))
            if(is_array($array[$key]))
                array_stripslashes($array[$key]);
            else
                $array[$key] = stripslashes($array[$key]);
}
chaos
  • 122,029
  • 33
  • 303
  • 309
  • 1
    Very useful as temporary solution before 5.3 update (vith default config of this directive). It does not require any other code modifications. Nice. Thank you. – Fanda May 14 '12 at 09:12
  • ... but what about the situation where you are POSTing content that includes slashes that are SUPPOSED to be there, and you don't want them removed? – dsdsdsdsd Jul 02 '14 at 14:01
  • 1
    @dsdsdsdsd: Handled. Slashes are only stripped if magic_quotes_gpc is on, so in your situation the slashes will have been themselves quoted and will be converted back to unquoted slashes by this code. – chaos Jul 03 '14 at 16:30
1

Another solution for PHP 5.3+:

if (get_magic_quotes_gpc() === 1)
{
    $_GET = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_GET, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
    $_POST = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_POST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
    $_COOKIE = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_COOKIE, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
    $_REQUEST = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_REQUEST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
}

Handles keys, values and multi-dimensional arrays.

Alix Axel
  • 151,645
  • 95
  • 393
  • 500
  • 1
    This works, but it will also remove the slashes from other escaped characters, such as \r and \n, becoming "r" and "n" in the value. – Brian E Apr 21 '11 at 13:35
  • @Brian E: Thank you for your feedback, you're right - I missed this big detail! – Alix Axel Apr 21 '11 at 14:59
  • @Brian E: I've posted a possible fix in https://github.com/alixaxel/phunction/issues/1#issuecomment-1039664. – Alix Axel Apr 21 '11 at 15:43
0

It cannot be done at runtime :(

user140125
  • 143
  • 5