when do magic quotes get applied?

sneakyimp

and also, is it meaningful to do an ini_set for magic quotes? if you do an ini_set for magic quotes, how long does that setting change apply? for the session? for the duration of the current script?

seems to me that the if the magic quotes get applied before the PHP of a given page runs, it's meaningless to turn off magic quotes.

drew010

magic quotes gpc gets applied when form data comes in from a get, post, or cookie request. magic quotes runtime will escape all special characters contained in data coming from an external data source such as a mysql query, or from reading contents of a text file.

if you use ini_set, the change only applies for the lifetime of the script.

sneakyimp

i'm still confused...

when you say magic_quotes gets applied at runtime, i'm assuming this means BEFORE my script executes. in other words of myscript.php gets some variables POSTed to it, they are going to have magic quotes applied before myscript.php ever gets a chance to work with them....so this is stupid and useless:

/* myscript.php /*

ini_set("magic_quotes", 0);

// now i start running all kinds of database queries on my POST
// variables and maybe even doing some EVAL stuff
// which would be very unsafe if there were no magic quotes blah
// blah blah

that's the essence of my question....are magic_quotes applied to anything besides your POST and GET variables? like session variables and stuff? the only things i can think of are things that pass variables BETWEEN php scripts...which means that trying to set magic_quotes to anything is completely useless because it's all applied before your script runs and the setting is only valid as long as your current script is running.

know what i mean?

drew010

yeah magic_quotes_runtime will only apply to GET and POST requests, plus cookies.
if you use magic_quotes_runtime it doesnt necessarily quote everything when the ini_set is executed, but it says "throughout the rest of the script, if we receive any data from an external source, escape all the special characters"
so its not completely useless.

runtime refers to the entire time your script is running, not when it first executes.

laserlight

is it meaningful to do an ini_set for magic quotes?

To begin with, you cant use [man]ini_set/man to alter the magic_quotes_gpc setting.

EDIT:

are magic_quotes applied to anything besides your POST and GET variables? like session variables and stuff?

It should be applied to all (or perhaps most) environment variables, if I remember correctly, aside from the obvious get, post and cookie.

Not so sure about the case of magic_quotes_runtime

sneakyimp

you guys ROCK. thanks.