With the addslashes attacks around, I really don't see the advantage to set up magic_quotes_on, sad enough, the new version php.ini default set it as on, so some servers may follow that set up too.

And people are taking about how to turn it off if the server set up is on.

PHP manual said let .htaccess not run time php codes do the work to change the magic_quotes_gpc set up to reduce the strain of the site.

But Apache said, to allow .htaccess it will increase the strain of the server, so let the run time php codes to be the solution.

Well, Apache will win because server administrator will speak for apache.

Here is the codes I get from the php manual

http://se2.php.net/magic_quotes/

Is this the best/comprehensive codes?

Imagine we have to add it to many pages of the php web site, just to do the damage control of the magic_quotes_gpc. Except the performance issues, is this code covering all the problems? Any missings here?

<?php
//Prevent Magic Quotes from affecting scripts, regardless of server settings

//Make sure when reading file data,
//PHP doesn't "magically" mangle backslashes!
set_magic_quotes_runtime(FALSE);

if (get_magic_quotes_gpc()) {
/
All these global variables are slash-encoded by default,
because magic_quotes_gpc is set by default!
(And magic_quotes_gpc affects more than just $GET, $POST, and $COOKIE)
/
$SERVER = stripslashes_array($SERVER);
$GET = stripslashes_array($GET);
$POST = stripslashes_array($POST);
$COOKIE = stripslashes_array($COOKIE);
$FILES = stripslashes_array($FILES);
$ENV = stripslashes_array($ENV);
$REQUEST = stripslashes_array($REQUEST);
$HTTP_SERVER_VARS = stripslashes_array($HTTP_SERVER_VARS);
$HTTP_GET_VARS = stripslashes_array($HTTP_GET_VARS);
$HTTP_POST_VARS = stripslashes_array($HTTP_POST_VARS);
$HTTP_COOKIE_VARS = stripslashes_array($HTTP_COOKIE_VARS);
$HTTP_POST_FILES = stripslashes_array($HTTP_POST_FILES);
$HTTP_ENV_VARS = stripslashes_array($HTTP_ENV_VARS);
if (isset($SESSION)) { #These are unconfirmed (?)
$SESSION = stripslashes_array($SESSION, '');
$HTTP_SESSION_VARS = stripslashes_array($HTTP_SESSION_VARS, '');
}
/
The $GLOBALS array is also slash-encoded, but when all the above are
changed, $GLOBALS is updated to reflect those changes. (Therefore
$GLOBALS should never be modified directly). $GLOBALS also contains
infinite recursion, so it's dangerous...
/
}

function stripslashes_array($data) {
if (is_array($data)){
foreach ($data as $key => $value){
$data[$key] = stripslashes_array($value);
}
return $data;
}else{
return stripslashes($data);
}
}
?>

    Turning of magic_quotes in php.ini is the solution.

    You could do it in httpd.conf (or another Apache config), or .htaccess too.

    Allowing .htaccess adds a TINY bit of extra work for Apache, which is significant if you're serving FLAT files on an extremely high performance, low spec server. But it makes very little difference to PHP, because running PHP scripts takes a lot longer (and a lot more system calls) in any case, so the overhead of .htaccess is easily outweighed.

    Turning off magic_quotes at runtime in PHP is basically impossible, the best you can do is to try to undo their damage - which is kludgy and error-prone.

    I use

    if (ini_get('magic_quotes_gpc')) {
  user_error("Turn magic quotes off now, idiot!", E_USER_ERROR);
  exit;
}

    To prevent possible data corruption if magic quotes were accidentally left on.

    Mark

      It is hosted on the server I cannot control. And the server administrator doesn't want to trun it off at this moment. They may already have current clients using magic_quotes_gpc on set up. Their hands might be tied.

      The server administrator is considering to turn the magic_quotes_gpc off, but may have hard time to do so if they have old clients already use the magic_quotes_gpc on set up. Also the server administration doesn't want to grant using .htaccess for the hosting sites too.

      But the server administrator suggest that I can use the codes above to achieve the goal which is same as turn the magic_quotes_gpc off. But first, I have to add these codes in every page needed. Second, these codes itself also added extra works for the server. It might be better and easier either to allow .htaccess?

        how about adding the line "php_flag magic_quotes_gpc off" to in virtual host blocks of apache configuration file instead of .htaccess?

        I know the .htaccess is the best solution, just in case the server administrator is not willing to grant AllowOverride to allow .htaccess but willing to insert this line the virutal host block for us, will that be a solution?

        In php manual, a post said, when you add this line in the virtual host blocks of one site, it affects other virtual host blocks set up even the other blocks not have this line in. Is that true?

          Write a Reply...