How can I disable PHP magic quotes at runtime?

Asked 20/7, 2009 at 13:58 Answered 17/1, 2010 at 2:55

I'm writing a set of PHP scripts that'll be run in some different setups, some of them shared hosting with magic quotes on (the horror). Without the ability to control PHP or Apache configuration, can I do anything in my scripts to disable PHP quotes at runtime?

It'd be better if the code didn't assume magic quotes are on, so that I can use the same scripts on different hosts that might or might not have magic quotes.

Skinhead answered 20/7, 2009 at 13:58 Comment(0)

Only magic_quoted_runtime can be disabled at runtime. But magic_quotes_gpc can’t be disabled at runtime (PHP_INI_ALL changable until PHP 4.2.3, since then PHP_INI_PERDIR); you can only remove them:

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

For further information see Disabling Magic Quotes.

Samarium answered 20/7, 2009 at 14:0 Comment(7)

I really think this code should also ini_set('magic_quotes_gpc', false); in order to prevent another library that was also concerned about striping input values from removing them again. – Mebane 16/12, 2010 at 22:21

@gnarf: That would be sweet but unfortunately it doesn't work that way, if you try ini_set('magic_quotes_gpc', 0) you will get false every time since this is only doable in PHP_INI_PERDIR. – Incorrupt 21/4, 2011 at 19:50

what about if you want some slashes to remain ... such as content entered into a form that includes a fraction: 4/5 ... stripslashes would remove it – Class 2/7, 2014 at 20:39

@Class stripslashes removes backslashes. – Samarium 3/7, 2014 at 4:10

oops ... bad example on my part ... but my point is still good: there may be times when you have intentional backslashes that you don't want stripped out – Class 3/7, 2014 at 11:51

You would only remove the backslashes if they would be added by magic quotes. That's why the code uses get_magic_quotes_gpc. – Samarium 3/7, 2014 at 11:53

yep. Magic quotes can only be disabled at system level, NOT at runtime. use stripslashes, as and when needed if you dont have access to php.ini file. Most shared servers I worked all have magic quotes off. Mostly old servers have them on. Oh well. – Ornis 18/7, 2016 at 9:58

Magic quotes cannot be disabled at runtime, but you can use a .htaccess file in the directory to disable it.

php_flag magic_quotes_gpc off

The only real advantage this has is you can put it once in a directory and it works for the whole directory and subdirectories. Really nice if you need this for an application you didn't write and need to get it to work without magic quotes.

Misname answered 20/7, 2009 at 14:1 Comment(2)

Internal Server Error. Looks like the host isn't allowing that directive. :( – Skinhead 20/7, 2009 at 14:13

Yeah, this requires the server to be setup to allow .htaccess override. Sorry to hear it didn't work out for you. – Misname 20/7, 2009 at 14:57

I have a little script for this similar to Gumbo's (but of course I like mine better :):

if(function_exists('get_magic_quotes_runtime') && get_magic_quotes_runtime())
    set_magic_quotes_runtime(false);

if(get_magic_quotes_gpc()) {
    array_stripslashes($_POST);
    array_stripslashes($_GET);
    array_stripslashes($_COOKIES);
}

function array_stripslashes(&$array) {
    if(is_array($array))
        while(list($key) = each($array))
            if(is_array($array[$key]))
                array_stripslashes($array[$key]);
            else
                $array[$key] = stripslashes($array[$key]);
}

Melitamelitopol answered 20/7, 2009 at 14:4 Comment(3)

Very useful as temporary solution before 5.3 update (vith default config of this directive). It does not require any other code modifications. Nice. Thank you. – Bcd 14/5, 2012 at 9:12

... but what about the situation where you are POSTing content that includes slashes that are SUPPOSED to be there, and you don't want them removed? – Class 2/7, 2014 at 14:1

@dsdsdsdsd: Handled. Slashes are only stripped if magic_quotes_gpc is on, so in your situation the slashes will have been themselves quoted and will be converted back to unquoted slashes by this code. – Melitamelitopol 3/7, 2014 at 16:30

Another solution for PHP 5.3+:

if (get_magic_quotes_gpc() === 1)
{
    $_GET = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_GET, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
    $_POST = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_POST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
    $_COOKIE = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_COOKIE, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
    $_REQUEST = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_REQUEST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
}

Handles keys, values and multi-dimensional arrays.

Incorrupt answered 17/1, 2010 at 2:55 Comment(3)

This works, but it will also remove the slashes from other escaped characters, such as \r and \n, becoming "r" and "n" in the value. – Herculaneum 21/4, 2011 at 13:35

@Brian E: Thank you for your feedback, you're right - I missed this big detail! – Incorrupt 21/4, 2011 at 14:59

@Brian E: I've posted a possible fix in github.com/alixaxel/phunction/issues/1#issuecomment-1039664. – Incorrupt 21/4, 2011 at 15:43

It cannot be done at runtime :(

Nate answered 20/7, 2009 at 14:1 Comment(0)

Recommended topics

Hot tags