5

my hosting server has magic_quotes on . so when i use parse_str, it also add slashes to it. so data gets stored as \\'name .. how do i prevent this.?

Hacker
  • 7,798
  • 19
  • 84
  • 154

2 Answers2

5
// Turn off magic_quotes_runtime
if (get_magic_quotes_runtime())
    set_magic_quotes_runtime(0);

// Strip slashes from GET/POST/COOKIE (if magic_quotes_gpc is enabled)
if (get_magic_quotes_gpc())
{
    function stripslashes_array($array)
    {
        return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
    }

    $_GET = stripslashes_array($_GET);
    $_POST = stripslashes_array($_POST);
    $_COOKIE = stripslashes_array($_COOKIE);
}
vertazzar
  • 1,053
  • 7
  • 10
  • @vertazzar - This is a work around for the problem. should i do this every time . or i just need to write code,thinking host will have magic quotes off – Hacker Jun 25 '10 at 12:14
  • example, you put this code into config.php and it will strip slashes automatically from get,post, cookie. config.php can contain : e.g. your db connection details etc.. so my point is - that you just need to write the code, nothing special. – vertazzar Jun 25 '10 at 12:16
  • @vertazzar - cant we disable magic quotes in whole project(other then php.ini configuration)? does putting set_magic_quotes_runtime(0); at beginning of my page load take care of it? – Hacker Jun 25 '10 at 12:20
  • but when i see http://php.net/manual/en/function.set-magic-quotes-runtime.php it says its DEPRECATED – Hacker Jun 25 '10 at 12:21
  • that "magic_quotes_runtime" checks if webserver has it, so on new php versions its DEPRECATED. As for disabling get_magic_quotes_gpc - you could, but some discussions say that its not recommended disabling it, so anyways feel free to use the code i provided, i use it and it works like charm! – vertazzar Jun 25 '10 at 12:27
  • @vertazzar - okie.say i use the code if (get_magic_quotes_runtime()) set_magic_quotes_runtime(0); at the very beginning of my page. will this not supress magic quotes. do i still need to use the rest of codes stripslashes_array..no need rite? – Hacker Jun 25 '10 at 12:36
  • 1
    if you've turned off the quotes, you dont need stripslashes_array. but be sure to use mysql_real_escape_string on data when you insert into database to prevent SQL injection attacks. http://en.wikipedia.org/wiki/SQL_injection – vertazzar Jun 25 '10 at 17:35
  • yeah i do that for sure. cannot take risk there :) – Hacker Jun 26 '10 at 06:53
4

Use PHP's stripslashes function. http://php.net/manual/en/function.stripslashes.php

I would also consider turning of magic_quotes on the server. if you can't do that then I would recommend switching hosts

Lizard
  • 43,732
  • 39
  • 106
  • 167