you may be dealing with a legacy codebase that wouldn’t survive just turning it off. By using a class to retrieve and sanitize the values you can ensure that all globals are being safely managed, and then make the change.
I’m gonna disagree with you Paul
The question is how to disable magic quotes. This is a server directive, if it can’t be disabled there, then the next best thing is to disable it in a boot script - at the entry point, not all over your classes/functions. That is, it needs to be disabled, not disabled sometimes, disabled full stop.
How would you suggest that the OP manages global variables in his existing code so that they will continue to work properly as he migrates from 5.2, to 5.3, and to 6.0. I believe that is what the OP is asking about.
function strip_slashes_recursive(&$value) {
if (!is_array($value)) {
$value = strip_slashes($value);
} else {
foreach (array_keys($value) as $key) {
$arrayValue = strip_slashes_recursive($value[$key]);
unset($value[$key]);
$value[strip_slashes($key)] = $arrayValue;
}
}
}
foreach (array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST) as &$array) {
strip_slashes_recursive($array);
}
// don't forget to unset references or it can lead to very nasty bugs
unset($array);
On my personal server, sure, I can turn magic quotes off. On other servers…no, I wouldn’t have access to it.
Without turning the code into spaghetti, I was looking for a one-shot solution to effectively neutralize magic quotes for the entire script if it was turned on.
I did find this code splice…but it doesn’t actually remove the slashes when included before any $_POST work. I’m guessing the concept works, but the actual example code doesn’t:
//if magic quotes is on, remove the slashes it adds to input
if (get_magic_quotes_gpc()) {
foreach (array('_GET', '_POST', '_COOKIE', '_REQUEST') as $src) {
foreach ($$src as $key => $val) {
$$src[$key] = stripslashes($val);
}
}
}
My reading of the original post is that he wants a way to “handle detection for magic_quotes_gpc in 5.2.x and remove the extra slashes from input” in a way that will also “work for 5.3.x and 6.x”
He’s after a coding technique that will work across 5.2, 5.3 and into 6.0
If you still think otherwise Hash, further confirmation from Force Flow is always an option.
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \\').
magic_quotes_sybase = Off
can’t do that?
2. htaccess
php_flag magic_quotes_gpc Off
can’t do that?
3. Use this code at the start of your script
if(ini_get('magic_quotes_gpc') {
// will be empty string if this directive does not exist
// or true/false if it does
// either way false if it is disabled
how to get rid of it in any php version? use the code posted on the php manual page
Yes, the code provided there does work…I just tried it.
One thing I noticed through looking at these code examples…some of the examples remove the slashes from the keys…if that’s what you’re supposed to do, would this also work?
It seems to me that this method might be a little more efficient than the other block of code. Or is there a reason not to do it this way? (remember, I don’t care about PHP4, so a PHP5-only technique will fit the bill too)
The above server-side code works on 5.2, but as the Deprecated features in PHP 5.3.x page says, the use of magic_quotes_gpc, magic_quotes_runtime or magic_quotes_sybase in 5.3 will throw a deprecated error on startup.
it seems that each version has different acceptable ways of disabling magic quotes.
5.2 - ini directives, .htaccess and code
6.0 - .htaccess? or historical code, otherwise no issue
Is 5.3 where you would use just .htaccess followed up if not possible by code?