Best method of disabling php magic quotes without php.ini or .htaccess

1
votes

I am needing to write portable code that will run on a shared server with magic_qoutes_gpc enabled and I am unable to change that in php.ini or .htaccess. (the server is running php 5.2)

It seems there are numerous functions to stripslaches from all of the $_GET, $_POST etc superglobals but I'm not sure which is the best. Also some comments here seem to say that the keys also have slashes added which need to be stripped as well. So should I use the one on the PHP website:

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
             unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

or something like this: (from this answer: PHP - Shorter Magic Quotes Solution)

function strip_slashes_recursive(&$value) {
    if (!is_array($value)) {
        $value = strip_slashes($value);
    } else {
        foreach (array_keys($value) as $key) {
            $arrayValue = strip_slashes_recursive($value[$key]);
            unset($value[$key]);
            $value[strip_slashes($key)] = $arrayValue;
        }
    }
}

foreach (array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST) as &$array) {
    strip_slashes_recursive($array);
}
// don't forget to unset references or it can lead to very nasty bugs
unset($array);

or even something like this:

if (get_magic_quotes_gpc()) {
    function undoMagicQuotes($array, $topLevel=true) {
        $newArray = array();
        foreach($array as $key => $value) {
            if (!$topLevel) {
                $key = stripslashes($key);
            }
            if (is_array($value)) {
                $newArray[$key] = undoMagicQuotes($value, false);
            }
            else {
                $newArray[$key] = stripslashes($value);
            }
        }
        return $newArray;
    }
    $_GET = undoMagicQuotes($_GET);
    $_POST = undoMagicQuotes($_POST);
    $_COOKIE = undoMagicQuotes($_COOKIE);
    $_REQUEST = undoMagicQuotes($_REQUEST);
}

Can someone explain the pros/cons of each approach and/or a totally different approach and how thorough they are and if they strip slashes from the key as well as the value.

(also is this method any good: PHP: how to (correctly) remove escaped quotes in arrays when Magic Quotes are ON)
(and also it seems like all of these methods are incomplete as they don't strip slashes from all the affected superglobals Which superglobals are affected by magic_quotes_gpc = 1?)

3
phpmagic-quotes-gpc
Pithy answer: Move to a half-decent hosting service.Quentin

3 Answers

1
votes

Here's another one mostly from PHP: how to (correctly) remove escaped quotes in arrays when Magic Quotes are ON but with my own changes:

if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
    function unMagicQuotify($array) {
        $fixed = array();
        foreach ($array as $key=>$val) {
            if (is_array($val)) {
                $fixed[stripslashes($key)] = unMagicQuotify($val);
            } else {
                $fixed[stripslashes($key)] = stripslashes($val);
            }
        }
        return $fixed;
    }

    $_GET = unMagicQuotify($_GET);
    $_POST = unMagicQuotify($_POST);
    $_COOKIE = unMagicQuotify($_COOKIE);
    $_REQUEST = unMagicQuotify($_REQUEST);
    $_FILES = unMagicQuotify($_FILES);
}

Pro's

  • They work for both arrays and single variables
  • Does strip the key
  • Does not use references

Con's

  • May change the order of variables

Note the inclusion of $_FILES as magic quotes also affects it. As for reading a file (file_get_contents) and/or using php://input I couldn't tell whether magic quotes affects them, but you would have to stripslashes() as and when you are reading them and would not be able to do something like this. I didn't manage to check $HTTP_RAW_POST_DATA but it isn't populated by default so things should be ok leaving it out.

0
votes

You can get rid of slashes by performing this:

$_REQUEST = array_map('stripslashes', $_REQUEST);

I think it's easier and makes code smaller and more laconic.

I'm sure you know about what problems could appear while using the magic quotes directive (here is an article http://www.sitepoint.com/magic-quotes-headaches/). But IMO it's better for you to move your apps to another hosting provider in case that your current provider can't turn magic quotes off. Also, it's not very good idea to use an outdated version of PHP.

0
votes

First Method

Pro's

  • They work for both arrays and single variables
  • Does strip the key

Con's

  • The code is too long for what it needs to be

Second Method

Pro's

  • They work for both arrays and single variables

Con's

  • The code is too long for what it needs to be
  • Does not strip the key

Third Method

Pro's

  • They work for both arrays and single variables
  • Does strip the key

Con's

  • The code is too long for what it needs to be

I've been using this, which works ok (Found it in osTicket, I love open source):

function strip_slashes($var){
    return is_array($var)?array_map('strip_slashes',$var):stripslashes($var);
}


if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
    $_POST = strip_slashes($_POST);
    $_GET = strip_slashes($_GET);
    $_REQUEST = strip_slashes($_REQUEST);
    $_COOKIE = strip_slashes($_COOKIE);
}

Pro's

  • They work for both arrays and single variables

Con's

  • Does not strip the keys

I've never come across the need to strip the keys as well though. Many open source libraries don't do it (e.g Wordpress, osTicket). Generally I only use name for $_POST and $_GET data that will never be escaped.