Is there a surefire way to turn off magic quotes at runtime? I tried doing it with an .htaccess file and that just caused all php to stop working. I figured I'd look for a runtime method. I've tried the examples in the php manual but none work. Or is there a way to strip the slashes once the post is in a variable?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Turning off magic quotes
- Thread starter mufka
- Start date
there are two types of magicquotes. magic_quotes_gpc and magic_quotes_runtime.
you cannot turn magic_quotes_gpc off at runtime. to turn the latter off use
to turn off the former, you can:
* edit your master php.ini
* upload a per directory php.ini (for each directory in which you want to change the setting
* upload an .htaccess file (again, per directory)
* change the httpd.conf file.
most ISP's that use CGI or FastCGI will let you upload a local php.ini even though they don't broadcast it. check the location of the master php.ini file through a call to phpinfo().
you cannot turn magic_quotes_gpc off at runtime. to turn the latter off use
Code:
set_magic_quotes_runtime(0);to turn off the former, you can:
* edit your master php.ini
* upload a per directory php.ini (for each directory in which you want to change the setting
* upload an .htaccess file (again, per directory)
* change the httpd.conf file.
most ISP's that use CGI or FastCGI will let you upload a local php.ini even though they don't broadcast it. check the location of the master php.ini file through a call to phpinfo().
- Thread starter
- #3
Putting the following
in the script didn't work. No errors, but no change either.
Putting
in my php.ini causes other things to stop working like getting @$HTTP_REFERER. I assume if that stopped working, there might be other things that don't work.
Code:
set_magic_quotes_runtime(0);Putting
Code:
magic_quotes_gpc = Off- Thread starter
- #4
I found a way around the problem. Part of my script writes to a database, the other sends an email. The problem was that the slashes were showing up in the email. I think they're still needed for the database. I just put the variable for the message through stripslashes after the db write and before the email send and that worked.
then you need to fix your scripts so that they do not assume that variables have been submitted already escaped. It's really poor coding practice. the authors of php have acknowledged this and have removed the directives and functions from php 6.
as a stopgap you can also cleanse your variables before using them with a function like this.
as a stopgap you can also cleanse your variables before using them with a function like this.
Code:
function cleanse($var){
if (get_magic_quotes_gpc()){
return trim(stripslashes($var));
}else{
return trim($var);
}
}- Thread starter
- #6
yes you should manually escape variables before writing to a database. different databases use different escaping other than slashes. for mysql you should use mysql_real_escape_string().
and yes there is a difference between your code and mine. mine analyses whether magic_quotes has already been applied.
and by 'not assuming' i mean that you need to turn magic_quotes off and rebuild your script so that it does not make any assumptions about pre-escaped data. assume that it is your responsibility at every stage to escape data for each particular use.
and yes there is a difference between your code and mine. mine analyses whether magic_quotes has already been applied.
and by 'not assuming' i mean that you need to turn magic_quotes off and rebuild your script so that it does not make any assumptions about pre-escaped data. assume that it is your responsibility at every stage to escape data for each particular use.
- Status
Similar threads
- Locked
- Question