Disable magic_quotes_gpc function

Page 1 / 1

Some hosts which LWS, activates the "magic_quotes_gpc" feature that helps protect data sent by the methods "GET", "POST", ...

This information is visible through the "phpinfo" PHP function.

magic_quotes_gpc

The problem is that when its SQL queries are protected via the functions "PDO::quote" (or PHP4 with mysql_real_escape_string which is deprecated), this feature is problematic because the protection is applied 2 times our data. So we end up with \\'instead of \' and it therefore produces a SQL error.

The 2nd problem with this feature is that it is simply impossible to disable with "ini_set" as they have desired to do so. As stated in the official documentation of PHP.net.

Also according to the PHP documentation, it is still possible to disable it :

  • by the file "php.ini" if you can access it, by adding or changing the following lines :

    Apache

    ; Magic quotes for incoming GET/POST/Cookie data.
    magic_quotes_gpc = Off
    ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
    magic_quotes_runtime = Off
    ; Use Sybase-style magic quotes (escape ' with '' instead of \').
    magic_quotes_sybase = Off
  • by a ". htaccess", by adding the following line "php_flag magic_quotes_gpc Off" in this file.
    Nevertheless, we tested this possibility in our host and it had no effect (it is perhaps a measure of security in the host).

Since we don't have access to the "php.ini" file Host and the second option did not work, so we used the proposed solution in the comments of PHP.net website, it works correctly.

PHP

<?php
if (get_magic_quotes_gpc()) {
  function stripslashes_gpc(&$value){
    $value = stripslashes($value);
  }
  array_walk_recursive($_GET, 'stripslashes_gpc');
  array_walk_recursive($_POST, 'stripslashes_gpc');
  array_walk_recursive($_COOKIE, 'stripslashes_gpc');
  array_walk_recursive($_REQUEST, 'stripslashes_gpc');
}
?>

This small very powerful PHP script doesn't disable the "magic_quotes_gpc" feature, but perform the reverse process (if this feature is enabled on the server) to cancel the operation of "magic_quotes_gpc". Helping us documentation, we can explain how this custom function. In fact, it goes through all the boxes of the arrays "_GET", "_POST", "_COOKIE" and "_REQUEST" and performs the inverse processing on each of the boxes by the "stripslashes" function of PHP.

 

Finally, note that this function has been deprecated by PHP.net since version "5.3.0" and will therefore disappear from the version "5.4.0".