Hello again Amy.

In case you haven't read it already, the PHP.net Manual has more up-to-date information about Magic Quotes here: [man]magic_quotes[/man]. It basically explains what it was used for and why it's no longer considered a good solution.

As for what each option does individually, the comments in the php.ini file explain it in a nutshell. For more information, you can visit the links for each directive in the PHP manual here: [man]ini.list[/man] (just scroll down to the 'magic_quotes_' group).

bradgrafelman;10915160 wrote:

Hello again Amy.

Hey there!

In case you haven't read it already, the PHP.net Manual has more up-to-date information about Magic Quotes here: [man]magic_quotes[/man]. It basically explains what it was used for and why it's no longer considered a good solution.

Okay, thanks for the link.

As for what each option does individually, the comments in the php.ini file explain it in a nutshell. For more information, you can visit the links for each directive in the PHP manual here: [man]ini.list[/man] (just scroll down to the 'magic_quotes_' group).

I read that as well as the comments in my php.ini file, but didn't really undestand the difference between...

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off    

Isn't everything happening at "runtime"?

I guess magic_quotes_gpc should be set to off however I wasn't able to understand the difference between when and where these two lines are being used.

Amy

amy.damnit wrote:

Isn't everything happening at "runtime"?

No; the GPC data (or data coming from external data) is passed into the PHP script before it begins executing. magic_quotes_gpc intercepts this incoming data and adds the slashes before PHP runs and loads the $_GET, et al superglobal arrays.

Once the script is running and you pull data from MySQL (e.g. [man]mysql_fetch_assoc/man), magic_quotes_runtime will apparently add slashes to the data being returned before it's passed to the PHP program. I say "apparently" because I've never used magic_quotes_runtime so I'm not 100% sure about what effects it has.

So it sounds like I should just set magic_quotes_gpc = off and then I'll be free from any issue with Magic Quotes, right?

Amy

On your server, yes. The big concern comes when you develop software for distribution; you can't guarantee that every person who downloads your software has come to the same conclusion (or even knows what a magic quote is).

That's why programmers with portability in mind might check [man]get_magic_quotes_gpc/man and deal with the superglobals accordingly. Here's NogDog's solution to this problem:

NogDog;10914420 wrote:

<?php
// code from manual to undo magic_quotes if needed:
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

    return $value;
}

$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
?>

Okay, thanks!

Amy