1

I'm really confused when I read about the function get_magic_quotes_gpc() in PHP.

Everywhere it's said that the function is deprecated (example).

But what is the default behaviour in PHP 5.3? I used to check, if magic_quotes_gpc in on and stripped all slashes if that was the case, right at the beginning of my script for all POST, GET and COOKIE variables, so that I don't get confused.

But if I shouldn't check for added slashes using get_magic_quotes_gpc(), always removing slashes would result in wrong data, if no slashes are added by PHP 5.3.

I have the same confusion with this

At the moment magic_quotes_gpc is on on my server (PHP 5.2.17), so I need to remove the slashes. But how should I handle this to be prepared for future PHP versions?

Can I somehow set the default values in future during the runtime at the beginning of my script? But what are the default values?

Bernhard Barker
  • 54,589
  • 14
  • 104
  • 138
R_User
  • 10,682
  • 25
  • 79
  • 120

1 Answers1

7

The get_magic_quotes_gpc function isn't deprecated, it's the magic_quotes_gpc config setting that's deprecated.

The solution is to not use the magic_quotes_gpc config setting on your own server, but also use get_magic_quotes_gpc if you want to write robust code that will run on servers that do have the deprecated magic_quotes_gpc setting turned on.

In other words:

  • Turn off magic_quotes_gpc in your config.
  • Wherever you currently use stripslashes, change it to only call stripslashes if get_magic_quotes_gpc() == 1.
Dagg Nabbit
  • 75,346
  • 19
  • 113
  • 141
  • unfortunately I don't have write-access to the config files a that server. I wrote an own function that checks for magic_quotes_gpc(). But you say the adding slashes is the default behaviour in PHP >5.3? Do you have a reference for that? – R_User Mar 01 '12 at 14:32
  • No, adding slashes is no the default behavior unless `magic_quotes_gpc` is enabled. You don't really need to write your own version of `get_magic_quotes_gpc`, it's not deprecated. – Dagg Nabbit Mar 01 '12 at 14:41
  • I started using the function "filter_input_array()". It seems that this function automatically removes the slashes in the values. I really don't get the Warning text given on http://www.php.net/manual/en/filter.filters.sanitize.php . Is it the default behaviour of sanitize filter to remove the slashes? Why aren't slashes in arrays removed? For example `` gives `name[3][to\"ll]: "` as output. So, for the value the slashes are removed but not for the keys. But I couldn't find a description for this behaviour in the PHP manual,... – R_User Mar 02 '12 at 11:10
  • 1
    @Sven I'm not sure, I haven't used the `filter_input` stuff much... I usually filter stuff by type conversion or regex. – Dagg Nabbit Mar 02 '12 at 19:31
  • Though I think one may also need to use stripslashes() on a string that was previously converted with addslashes(). – nightcoder May 17 '13 at 19:51
  • Just spend two hours bughunting, turned out excessive stripslashes() on $_REQUEST was the cause. Your comment was the solution. This should be part of the PHP documentation. – Martijn Aug 16 '13 at 14:15