1

For some reason, all my quotes are being escaped and displayed as \". Previously, it was okay. Then I looked at phpinfo() and saw that my magic_quotes_gpc is turned on. However, I cannot find the directory /usr/local/lib/ where php.ini file is and I cannot edit my .htaccess file (gets 500 Internal Server Error).

I tried putting this instead on top of my scripts file (which is included in all pages):

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

But still, the " and ' on my pages still have the backslashes in them.

What am I doing wrong?

catandmouse
  • 11,309
  • 23
  • 92
  • 150
  • 2
    Contact or replace your webhost. – SLaks Sep 26 '11 at 15:29
  • The way you make use of variable references/aliasing is not actually doing what you might think. I suggest to build something based on the `$GLOBALS` array (which does not needs to be referenced at all). But actually the root cause is your misconfigured webhost. Magic quotes GPC enabled is a sign that your webhost has no sense for security. – hakre Sep 26 '11 at 15:30
  • 1
    What did you put in your .htaccess file? Also, have you tried `ini_set('magic_quotes_runtime', 0);` – jprofitt Sep 26 '11 at 15:35
  • 1
    Pick one of the other examples from http://www.php.net/manual/en/security.magicquotes.disabling.php#91653 and ensure that it's really the first thing invoked in your php scripts. – mario Sep 26 '11 at 15:39
  • You've created references to the arrays, but your loops are not using references for the keys they're producing, so you're unescaping COPIES of the data and not the original data. – Marc B Sep 26 '11 at 15:42
  • @jprofitt I tried both php_value magic_quotes_gpc off and php_flag magic_quotes_gpc off as another line. Where do I put ini_set('magic_quotes_runtime', 0); ? – catandmouse Sep 26 '11 at 15:47
  • @mario I tried all and yes, it's the first thing invoked in my scripts. Still, to no avail. :( – catandmouse Sep 26 '11 at 15:54
  • You can just put in in your code. I'd suggest at the start of it, most likely where you put this block. It might not work if the server has PHP configured in a certain way, though. – jprofitt Sep 26 '11 at 16:17
  • My problem is fixed now. I contacted my host and they turned off magic_quotes_runtime and magic_quotes_gpc for me. Well, I guess, I chose an unreliable hosting service but since my site is just a 'playground', it will do for now. Thanks for all the help. – catandmouse Sep 26 '11 at 16:30

2 Answers2

2

Give this code a try, it's worked for me in the past.

<?php
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
        $quotes_sybase = strtolower(ini_get('magic_quotes_sybase'));
        $unescape_function = (empty($quotes_sybase) || $quotes_sybase === 'off') ? 'stripslashes($value)' : 'str_replace("\'\'","\'",$value)';
    $stripslashes_deep = create_function('&$value, $fn', '
        if (is_string($value)) {
            $value = ' . $unescape_function . ';
        } else if (is_array($value)) {
            foreach ($value as &$v) $fn($v, $fn);
        }
    ');

    // Unescape data
    $stripslashes_deep($_POST, $stripslashes_deep);
    $stripslashes_deep($_GET, $stripslashes_deep);
    $stripslashes_deep($_COOKIE, $stripslashes_deep);
    $stripslashes_deep($_REQUEST, $stripslashes_deep);
}
Nexerus
  • 1,088
  • 7
  • 8
2

Which PHP-version do you use?

If you use a version larger than 5.2, than you can use filter_input() or filter_input_array(). It seems that it ignores the setting of the magic_quotes_gpc-directive and uses the raw data (the default filter is FILTER_UNSAFE_RAW)

Edward
  • 4,453
  • 8
  • 44
  • 82
R_User
  • 10,682
  • 25
  • 79
  • 120