[RESOLVED] Help with Magic Quotes in php.ini

amy_damnit

From what I have read - as a newbie - Magic Quotes are evil. 🆒

I would like to disable them on my laptop, but am unsure of what I need to do in my php.ini file. Here is the section dealing with Magic Quotes...

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off    

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

Can someone please explain what all of these lines do?

Thanks,

Amy

bradgrafelman

Hello again Amy. 🙂

In case you haven't read it already, the PHP.net Manual has more up-to-date information about Magic Quotes here: [man]magic_quotes[/man]. It basically explains what it was used for and why it's no longer considered a good solution.

As for what each option does individually, the comments in the php.ini file explain it in a nutshell. For more information, you can visit the links for each directive in the PHP manual here: [man]ini.list[/man] (just scroll down to the 'magic_quotes_' group).

amy_damnit

bradgrafelman;10915160 wrote:
Hello again Amy. 🙂

Hey there!

In case you haven't read it already, the PHP.net Manual has more up-to-date information about Magic Quotes here: [man]magic_quotes[/man]. It basically explains what it was used for and why it's no longer considered a good solution.

Okay, thanks for the link.

As for what each option does individually, the comments in the php.ini file explain it in a nutshell. For more information, you can visit the links for each directive in the PHP manual here: [man]ini.list[/man] (just scroll down to the 'magic_quotes_' group).

I read that as well as the comments in my php.ini file, but didn't really undestand the difference between...

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

Isn't everything happening at "runtime"?

I guess magic_quotes_gpc should be set to off however I wasn't able to understand the difference between when and where these two lines are being used.

Amy

bradgrafelman

amy.damnit wrote:
Isn't everything happening at "runtime"?

No; the GPC data (or data coming from external data) is passed into the PHP script before it begins executing. magic_quotes_gpc intercepts this incoming data and adds the slashes before PHP runs and loads the $_GET, et al superglobal arrays.

Once the script is running and you pull data from MySQL (e.g. [man]mysql_fetch_assoc/man), magic_quotes_runtime will apparently add slashes to the data being returned before it's passed to the PHP program. I say "apparently" because I've never used magic_quotes_runtime so I'm not 100% sure about what effects it has.

amy_damnit

So it sounds like I should just set magic_quotes_gpc = off and then I'll be free from any issue with Magic Quotes, right?

Amy

bradgrafelman

On your server, yes. The big concern comes when you develop software for distribution; you can't guarantee that every person who downloads your software has come to the same conclusion (or even knows what a magic quote is).

That's why programmers with portability in mind might check [man]get_magic_quotes_gpc/man and deal with the superglobals accordingly. Here's NogDog's solution to this problem:

NogDog;10914420 wrote:

<?php
// code from manual to undo magic_quotes if needed:
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

    return $value;
}

$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
?>

amy_damnit

Okay, thanks!

Amy