Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg



PHP : Function Reference : PHP Options&Information : get_magic_quotes_gpc

get_magic_quotes_gpc

Gets the current configuration setting of magic quotes gpc (PHP 4, PHP 5)
int get_magic_quotes_gpc ( )

Example 1839. get_magic_quotes_gpc() example

<?php
echo get_magic_quotes_gpc();         // 1
echo $_POST['lastname'];             // O\'reilly
echo addslashes($_POST['lastname']); // O\\\'reilly

if (!get_magic_quotes_gpc()) {
   
$lastname = addslashes($_POST['lastname']);
} else {
   
$lastname = $_POST['lastname'];
}

echo
$lastname; // O\'reilly
$sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";
?>

Related Examples ( Source code ) » get_magic_quotes_gpc


Code Examples / Notes » get_magic_quotes_gpc

venimus

When you work with forms and databases you should use this concept:
1.When inserting the user input in DB escape $_POST/$_GET with add_slashes() or similar (to match the speciffic database escape rules)
$query='INSERT INTO users SET fullname="'.add_slashes($_POST['fullname']).'"';
insert_into_db($query);
2.When reading a previously submitted input from DB use html_special_chars to display an escaped result!
read_db_row('SELECT fullname FROM users');
echo '<input type="text" name="fullname" value="'.html_special_chars($db_row['fullname']).'" />
this way you safely store and work with the original(unescaped) data.


gwang

The magic_quotes_gpc = On setting in php.ini is an unfortunate flaw in php which is not a convenience but a source of many bugs and a performance penalty. Decent programmers all know that special characters such as single quotes need to be escaped in string values of an SQL statement.  The magic_quotes_gpc = On setting wants to do this for programmers but fails to realize that post or get data usually are validated first. If the data are not valid, they are sent back to the browser for resubmission. In this case, the slashes added to the data are doubled after the next submission, thus causing bugs.

slonmron_no_spam_please_

Re: php at kaiundina dot de (03-Feb-2005 02:18)
1. magic_quotes_gpc=on/off and magic_quotes_sybase=on/off
I made test and your function worked right.
These were the <input ... /> names I used:
name="a"
name="b.b b\b"
name="c[c.1]"
name="c[c 2]"
name="c[c\3]"
name="c.c c[c.' 4]"
name="c ' c[c&quot;4]"
name="d&quot;[d&quot;1]"
(I used &quot; because I don't know other way to put " into the name)
and the user-input value:
a ' " \ \' \" \\ a
2. > 17) The chars '.', ' ' are always replaced by '_' when used in keys.
This is true only for the top-level keys, such as "b.b b\b", "c.c c" and "c ' c" above. The second-level key "[c.' 4]" was not changed to [c_'_4] but was escaped acording to how magic_quites_XXX are set.
Tested on PHP 4.4.0.
These magic_quotes are really black magic :(
It'll be good to make test against $_SESSION, but I can't do it today.


eltehaem

Please note, that when magic_quotes_gpc is set not only $_POST, $_GET, $_REQUEST, $_COOKIE arrays values are slashed. Actually every string value in $GLOBALS array is slashed, ie. $GLOBALS['_SERVER']['PATH_INFO'] (or $_SERVER['PATH_INFO']).

stpierre-at-spamsucks.nebrwesleyan.edu

I've found that, when working with Oracle (9i at least), you'll want to turn on magic_quotes_sybase.  I've read elsewhere that others have had the same experience.

php

Escaping of key-strings in GPC-arrays behave different to the escaping of their values.
First I expected that keys in submitted gpc-arrays are never escaped.
Anyway. After I saw escaped keys, I assumed they're escaped according to the settings of magic quotes.
... it's even worse...
It took me over 2 days of testing to figure out the exact behavior and creating two functions (one for each php-version) that strips slashes reliably from any array submitted to a script. Hope this saves someones time and nerves.
The following is true for $_GET- and $_POST-arrays. I hope other arrays affected by magic quotes behave equally.
I did not test the behavior for cases where magic_quotes_sybase is set.
== legend for possible case combinations ==
Px = php version we're using
P4 = php 4.3.9
P5 = php 5.0.2
MQ = MagicQuotes GPC
+MQ = magic quotes enabled
-MQ = magic quotes disabled
TL = TopLevel key
+TL = key is on top level (i.e. $_GET['myKey'])
-TL = key is nested within another array (i.e. $_GET['myList']['myKey'])
AK = ArrayKey
+AK = the value of the key is another array (i.e. is_array($_GET['myKey']) == true)
-AK = the value is a normal string (i.e. is_string($_GET['myKey']) == true)
== legend for possible results ==
KE = KeyEscaping
+KE = control chars are prefixed with a backslash
-KE = key is returned as submitted and needn't to be stripped
VE = ValueEscaping (doesn't apply for array as value)
+VE = control chars are prefixed with a backslash
-VE = value is returned as submitted and needn't to be stripped
== here we go - the following rules apply ==
1) P4 +MQ +AK +TL --> -KE
2) P4 +MQ +AK -TL --> +KE
3) P4 +MQ -AK +TL --> -KE +VE
4) P4 +MQ -AK -TL --> +KE +VE
5) P4 -MQ +AK +TL --> -KE
6) P4 -MQ +AK -TL --> -KE
7) P4 -MQ -AK +TL --> -KE -VE
8) P4 -MQ -AK -TL --> -KE -VE
9) P5 +MQ +AK +TL --> -KE
10) P5 +MQ +AK -TL --> +KE
11) P5 +MQ -AK +TL --> +KE +VE
12) P5 +MQ -AK -TL --> +KE +VE
13) P5 -MQ +AK +TL --> -KE
14) P5 -MQ +AK -TL --> -KE
15) P5 -MQ -AK +TL --> +KE -VE
16) P5 -MQ -AK -TL --> +KE -VE
17) The chars '.', ' ' are always replaced by '_' when used in keys.
Example (rule 15):
When running under php 5.0.2 having magic quotes disabled, gpc-keys on top level containing strings are escaped while their associated values are not.
== The following function will strip GPC-arrays for php 4.3.9 ==
function transcribe($aList, $aIsTopLevel = true) {
$gpcList = array();
$isMagic = get_magic_quotes_gpc();

foreach ($aList as $key => $value) {
$decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
if (is_array($value)) {
$decodedValue = transcribe($value, false);
} else {
$decodedValue = ($isMagic)?stripslashes($value):$value;
}
$gpcList[$decodedKey] = $decodedValue;
}
return $gpcList;
}
== The following function will strip GPC-arrays for php 5.0.2 ==
function transcribe($aList, $aIsTopLevel = true) {
$gpcList = array();
$isMagic = get_magic_quotes_gpc();

foreach ($aList as $key => $value) {
if (is_array($value)) {
$decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
$decodedValue = transcribe($value, false);
} else {
$decodedKey = stripslashes($key);
$decodedValue = ($isMagic)?stripslashes($value):$value;
}
$gpcList[$decodedKey] = $decodedValue;
}
return $gpcList;
}
Usage:
$unstrippedGET = transcribe($_GET);
$unstrippedPOST = transcribe($_POST);
Maybe someone is willing to test those combinations for other php-versions and with magic_quotes_sybase set to 'on' - let me know.
Sorry for this huge amount of text, but its complete. I was unable to compress the the decision table more than this.


07-feb-2006 12:56

All the code listed on this page is not necessary if you use the php_flag directive in a .htaccess file. This allows you to disable magic quotes completely, without the need to adjust your php.ini file or (re)process the user's input.
Just take a look at http://www.php.net/manual/en/security.magicquotes.php#55935
Gist of his note: in the .htaccess file, add a line
php_flag magic_quotes_gpc off
That's it. Thank you very much, richard dot spindler :) !


Change Language


Follow Navioo On Twitter
assert_options
assert
dl
extension_loaded
get_cfg_var
get_current_user
get_defined_constants
get_extension_funcs
get_include_path
get_included_files
get_loaded_extensions
get_magic_quotes_gpc
get_magic_quotes_runtime
get_required_files
getenv
getlastmod
getmygid
getmyinode
getmypid
getmyuid
getopt
getrusage
ini_alter
ini_get_all
ini_get
ini_restore
ini_set
main
memory_get_peak_usage
memory_get_usage
php_ini_scanned_files
php_logo_guid
php_sapi_name
php_uname
phpcredits
phpinfo
phpversion
putenv
restore_include_path
set_include_path
set_magic_quotes_runtime
set_time_limit
sys_get_temp_dir
version_compare
zend_logo_guid
zend_thread_id
zend_version
eXTReMe Tracker