SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    magic_quotes stuff

    ugh, i hate these magic_quotes in PHP! i wish they didn't exist. if *I* want ', ", and \ escaped i'll use addslashes! i want to know how you guys handle them.

    i would like my scripts to run the same regardless of if PHP has magic_quotes on or off. i figured i could use stripslashes on everything first, but if magic_quotes was off and someone submitted something with \\' in it, the \ would be removed, right? so that's out.

    i would like magic_quotes to be off, but there's nothing i can set in the PHP script b/c it's my understanding that magic_quotes does its thing before the script runs, correct?

    it seems that i can use php_value magic_quotes_gpc 0 in .htaccess to disable it, but that concerns me in case i wouldn't have access to .htaccess ever. then my scripts would be messed up and i've have to change em.

    i just want some advice about how you guys handle this while keeping your scripts as elegant and effecient as possible cuz i need to know how to write mine. how do scripts like VBulletin or phpBB etc. - things that will be run in all kinds of environments - handle this?

    EDIT -> WHOA i just noticed that if i type a \ followed by a ' only the ' shows up! i had to type 2 \ and then the ' to get it to show up w/ 1 backslash! so that must be something going on with add/stripslashes in VB, huh?
    Last edited by DR_LaRRY_PEpPeR; Jul 3, 2001 at 16:38.

  2. #2
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've never used it, but the manual mentions the function:
    set_magic_quotes_runtime()
    http://php.net/manual/en/function.se...es-runtime.php

    There are some interesting user comments here:
    http://php.net/manual/en/function.ge...es-runtime.php

    I don't think that magic_quotes_runtime is officially depricated, but it should be . Quite a pain in the bum. Sorry I can't tell you what the deal is with vBulletin but others will know

  3. #3
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks freaky but i'm talking about magic_quotes_gpc not magic_quotes_runtime. i guess i wasn't clear in my post. runtime is for runtime generated data like from MySQL or something. i already have that off and so does the host i think i'll have (HostRocket). according to comments on the PHP site, it's old and shouldn't be on anyway, and may be removed. so i don't i have to worry about magic_quotes_runtime.

    i've looked into this some more and decided that i'm either going to have to make my own functions like my_addslashes or my_stripslashes where i can check the value of get_magic_quotes_gpc and decide whether i need to run add/stripslashes. OR i can just put php_value magic_quotes_gpc 0 in .htaccess and if i ever change to a host that doesn't allow an .htaccess i'll just have to change my code.

    i ASSUME HostRocket will let me change these PHP values since they have AllowOverride Options in Apache. unless there's some way a host can let you change some things but not PHP values?

    as far as how do these forums do it - well i was looking at the code for phpBB and VB prob is doing the same thing - they're always using addslashes when they insert data into the DB and stripslashes when it comes out. i don't think i like that b/c it seems to cause problems if someone types something that stripslashes wants to strip (i.e. \\'). <-- perfect example there, i had to type 2 backslashes to get that to show up right in VB!

    well, i think i'll get it figured out ok.

  4. #4
    SitePoint Wizard jumpthru's Avatar
    Join Date
    Apr 2000
    Location
    Los Angeles, California
    Posts
    1,008
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That shouldn't be a problem though if you always addslashes before you ever stripslashes.

    I am just starting to run into all these problem myself in a major script I am writing. And my gosh, magic_quots is the biggest pain ever!

    I have finally decided to go the route that vBulletin takes and just add

    php_value magic_quotes_gpc 0

    to the .htaccess and force magic_quotes off. vBulletin wont run right if its magic_quotes isn't off and my script will just be the same. For it to run correctly magic_quotes *must* be off.

    I could do the whole custom add/strip functions, but the problem with that is that it gets really confusing if you wanted custom ones to begin with, cause then if you detect it you have to strip, then run the custom one. And you also have to remember whether the variable in question came from a GPC.

    So thats why I decided to go the *must* be off route.

    I finally realise what the big fuss of why magic_quotes is such a pain. At first I thought it was really cool, but once I started improving my coding style and writing bigger and bigger scripts I am now just seeing what a pain in the butt it is.

  5. #5
    SitePoint Wizard jumpthru's Avatar
    Join Date
    Apr 2000
    Location
    Los Angeles, California
    Posts
    1,008
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I finally have a solution to the stupid magic_quotes problem and it works pefectly:

    Background: I put a .htaccess file in the root of my script directory that reads php_value magic_quotes_gpc 0

    Okay, so I just went through every single page in my script, and went through each page line by line and added addslashes and htmlspecialchars functions appropriately.

    WORKS PERFECTLY

    I LOVE having total control over when my data is modifed.

    Plus, to make sure the script isn't run without having magic_quotes turned off, either by the php.ini file or the .htaccess file, I have added the following lines to the top of common.php (which gets included on every page).

    Code:
    //Check magic quotes
    if (get_magic_quotes_gpc()!=0) {
    	echo('<pre>Magic quotes must be turned off.</pre>');
    	exit();
    }
    If magic quotes is turned on, the script exits and tells why.

    So anyways, this is my story on how I bypassed the dumb feature of magic quotes, and I just want to repeat, its now working perfectly.

    PS, the reason I am so excited was I was totally freaking out when I started running into and finally seeing the problems with magic quotes. I was so scared in fact, I was thinking this could be a serious enough problem that it might ultimatly make me unable to finish the project.
    Last edited by jumpthru; Aug 26, 2001 at 00:50.

  6. #6
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yep jumpthru, that's basically what i'm doing too.
    - Matt ** Ignore old signature for now... **
    Dr.BB - Highly optimized to be 2-3x faster than the "Big 3."
    "Do not enclose numeric values in quotes -- that is very non-standard and will only work on MySQL." - MattR


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •