4

By looking at the name of this directive one may think that magic_quotes are only applied to $_GET, $_POST and $_COOKIE superglobals but there is one perturbing comment on the PHP Manual:

Please note, that when magic_quotes_gpc is set not only $_POST, $_GET, $_REQUEST, $_COOKIE arrays values are slashed. Actually every string value in $GLOBALS array is slashed, ie. $GLOBALS['_SERVER']['PATH_INFO'] (or $_SERVER['PATH_INFO']).

Can anyone confirm that this is true? Are the superglobals $GLOBALS, $_SERVER, $_FILES, $_SESSION and $_ENV affected as well?

One more question, if I iterate stripslashes() over the $_GET, $_POST and $_COOKIE arrays do I also need to iterate through the $_REQUEST array? Or are the changes automatically reflected?

Bernhard Barker
  • 54,589
  • 14
  • 104
  • 138
Alix Axel
  • 151,645
  • 95
  • 393
  • 500
  • Why the down-vote? It's a perfectly legitimate question... – Alix Axel Jan 07 '10 at 22:36
  • I recommend you just test it yourself. Should be quite easy. Also, try to see if you can disable magic_quotes in php settings or a .htaccess file. Much easier. – Joel L Jan 07 '10 at 22:40
  • 1
    To rely on magic_quotes and addslashes and stripslashes is a serious flaw in security. I always turn of magic quotes. If I can't eg. I don't have control over the installation my scripts detect it and die. use the correct function for the job, filter all input from all user accessible inputs, eg. use mysql_real_escape_string for variables passed to mysql or use prepared statements or better yet stored procedures. – DeveloperChris Jan 08 '10 at 00:25

2 Answers2

2

I've run some tests on LightTPD 1.4.20 and PHP 5.3.0 with magic_quotes_gpc = On and $_SERVER wasn't altered (at least [SERVER_NAME] => local'host didn't). $_SESSION also isn't affected by magic_quotes.

$_GET, $_POST, $_COOKIE and $_REQUEST were affected (and their $GLOBALS counterparts).

Also, the changes in the GPC superglobals aren't automatically reflected in $_REQUEST.

As for the $_FILES and $_ENV superglobals I'm not able to test them ATM.

I've finally ran this test and, to my surprise, both $_FILES and php://input are affected.

Alix Axel
  • 151,645
  • 95
  • 393
  • 500
2

Either way i'd advise you not to rely on GPC as it has been deprecated on newer PHP versions...

It may not be too relevant for your question but on the raised issue of SQL security alternatives i usually use prepared statements + mysql_real_escape_string for MySQL.

To make it close to perfect it involves a couple of functions as it also should support integer, boolean and null values but you can take a look at the source code on the Database and Database_mysql classes on NaturePhp .

Carlos Ouro
  • 565
  • 6
  • 16
  • I'm not relying on magic_quotes, I'm just working around them **iff** magic_quotes_gpc exists **and** is on. You got it wrong on NaturePHP (you assume every variable passed is coming from GPCR) but it's a nice project nonetheless, congrats. =) – Alix Axel Jan 08 '10 at 23:52
  • Thanx, i'll check it out and correct it for the next version :) – Carlos Ouro Jan 12 '10 at 11:31