PHP Doku:: Zeigt die aktuelle Konfiguration von magic quotes gpc - function.get-magic-quotes-gpc.html

Verlauf / Chronik / History: (1) anzeigen

Sie sind hier:
Doku-StartseitePHP-HandbuchFunktionsreferenzDas Verhalten von PHP beeinflussenPHP-Optionen und -InformationenPHP-Optionen-/-Informationen-Funktionenget_magic_quotes_gpc

Ein Service von Reinhard Neidl - Webprogrammierung.

PHP-Optionen-/-Informationen-Funktionen

<<get_loaded_extensions

get_magic_quotes_runtime>>

get_magic_quotes_gpc

(PHP 4, PHP 5)

get_magic_quotes_gpc Zeigt die aktuelle Konfiguration von magic quotes gpc

Beschreibung

long get_magic_quotes_gpc ( void )

Zeigt die aktuelle Konfiguration von magic_quotes_gpc. (0 für aus, 1 für an).

Siehe auch get_magic_quotes_runtime() und set_magic_quotes_runtime().


14 BenutzerBeiträge:
- Beiträge aktualisieren...
rickm707 at gmail dot com
10.10.2010 23:15
For many people, including myself, the problem is not needing to remove escape characters, but simply to know if they are already in place.  In my case, I WANT user input to be properly escaped, but I don't want to do it twice.  In cases like this, here's my solution:

<?php
function conditional_escape ($str)
{
  
/* Automatic escaping is highly deprecated, but many sites do it
      anyway to protect themselves from stupid customers. */
  
if (get_magic_quotes_gpc())
   {
     
/* Apache automatically escaped the string already. */
     
return $str;
   }
  
/* Replace the following line with whatever function you prefer
       to call to escape a string. */
  
return mysqli_real_escape_string ($link, $str);
}
?>

Example:

<?php
  $username
= conditional_escape ($_POST['Username']);
 
$password = conditional_escape ($_POST['Password']);
 
$email_address = conditional_escape ($_POST['Email_Address']);
?>

Hope this helps.
hetored at gmail dot com
7.05.2010 23:17
Here's what I came up with to remove magic quotes from request data.

Replaces two single-quotes with one if magic_quotes_sybase are on, otherwise it just strips slashes.

Note that the `foreach` style makes this work only with PHP 5 and above.

<?php

// Strip magic quotes from request data.
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
   
// Create lamba style unescaping function (for portability)
   
$quotes_sybase = strtolower(ini_get('magic_quotes_sybase'));
   
$unescape_function = (empty($quotes_sybase) || $quotes_sybase === 'off') ? 'stripslashes($value)' : 'str_replace("\'\'","\'",$value)';
   
$stripslashes_deep = create_function('&$value, $fn', '
        if (is_string($value)) {
            $value = '
. $unescape_function . ';
        } else if (is_array($value)) {
            foreach ($value as &$v) $fn($v, $fn);
        }
    '
);
   
   
// Unescape data
   
$stripslashes_deep($_POST, $stripslashes_deep);
   
$stripslashes_deep($_GET, $stripslashes_deep);
   
$stripslashes_deep($_COOKIE, $stripslashes_deep);
   
$stripslashes_deep($_REQUEST, $stripslashes_deep);
}

?>
Alix Axel
16.01.2010 21:20
For those of you who need a portable magic quotes antidote here is a solution that fixes both keys and values in multi-dimensional arrays:

<?php

if (get_magic_quotes_gpc() === 1)
{
   
$_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
   
$_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
   
$_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
   
$_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
}

?>

Look mum, no recursion! :P Enjoy!
louis at greynoise dot co dot uk
30.05.2008 17:34
<?php
function stripper($stringvar){
    if (
1 == get_magic_quotes_gpc()){
       
$stringvar = stripslashes($stringvar);
    }
    return
$stringvar;
}
?>

Usage:

<?php
$Body
= stripper($rs->fields('Body'));
echo(
$Body);
?>

This checks if get_magic_quotes_gpc() is on and strips a string variable for output if its on. Useful if the dev server and live server are set up different.
surya at c77 dot in
20.04.2008 9:28
@heiko dot richler at informatik dot fh-nuernberg dot de

I think your stripslashes_deep function should like this:

<?php
function stripslashes_deep(&$value)
{
   
$value = is_array($value) ?
               
array_map('stripslashes_deep', $value) :
               
stripslashes($value);

    return
$value;
}
?>

You missed the References.
heiko dot richler at informatik dot fh-nuernberg dot de
15.04.2008 9:02
@ dot dot dot dot dot alexander at gmail dot com

I suggest replacing foreach by "stripslashes_deep":

Example #2 Using stripslashes() on an array on
<http://www.php.net/manual/en/function.stripslashes.php>:

<?php
function stripslashes_deep($value)
{
   
$value = is_array($value) ?
               
array_map('stripslashes_deep', $value) :
               
stripslashes($value);

    return
$value;
}
?>

This gives:

<?php
if((function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc())    || (ini_get('magic_quotes_sybase') && (strtolower(ini_get('magic_quotes_sybase'))!="off")) ){
   
stripslashes_deep($_GET);
   
stripslashes_deep($_POST);
   
stripslashes_deep($_COOKIE);
}
?>
dot dot dot dot dot alexander at gmail dot com
9.03.2008 16:06
Just a little correction:
( Because of the ini_get function that may return a string value of "off" that evaluates to TRUE )
<?php
       
if(  
            ( 
function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc()  )
             || ( 
ini_get('magic_quotes_sybase') && ( strtolower(ini_get('magic_quotes_sybase')) != "off" )  )
           ){
            foreach(
$_GET as $k => $v) $_GET[$k] = stripslashes($v);
            foreach(
$_POST as $k => $v) $_POST[$k] = stripslashes($v);
            foreach(
$_COOKIE as $k => $v) $_COOKIE[$k] = stripslashes($v);
        }
?>
dot dot dot dot dot alexander at gmail dot com
9.03.2008 15:51
If you don't need to enter the user input in a database, and you are annoyed by "those-damn-slashes-behind-the-apostrophes" (or quotes), that you are forced to strip manually for each entry, you will find this helpful: (  Just put it so it gets executed before any manipulation to the GPC ( Get|Post|Cookie )  )
<?php
       
if(  ( function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc() ) || ini_get('magic_quotes_sybase')  ){
            foreach(
$_GET as $k => $v) $_GET[$k] = stripslashes($v);
            foreach(
$_POST as $k => $v) $_POST[$k] = stripslashes($v);
            foreach(
$_COOKIE as $k => $v) $_COOKIE[$k] = stripslashes($v);
        }
?>
gwang at theniceagency dot com
3.07.2007 17:19
The magic_quotes_gpc = On setting in php.ini is an unfortunate flaw in php which is not a convenience but a source of many bugs and a performance penalty. Decent programmers all know that special characters such as single quotes need to be escaped in string values of an SQL statement.  The magic_quotes_gpc = On setting wants to do this for programmers but fails to realize that post or get data usually are validated first. If the data are not valid, they are sent back to the browser for resubmission. In this case, the slashes added to the data are doubled after the next submission, thus causing bugs.
slonmron_no_spam_please_ at yahoo dot com
6.12.2006 15:32
Re: php at kaiundina dot de (03-Feb-2005 02:18)

1. magic_quotes_gpc=on/off and magic_quotes_sybase=on/off

I made test and your function worked right.
These were the <input ... /> names I used:
name="a"
name="b.b b\b"
name="c[c.1]"
name="c[c 2]"
name="c[c\3]"
name="c.c c[c.' 4]"
name="c ' c[c&quot;4]"
name="d&quot;[d&quot;1]"

(I used &quot; because I don't know other way to put " into the name)

and the user-input value:
a ' " \ \' \" \\ a

2. > 17) The chars '.', ' ' are always replaced by '_' when used in keys.

This is true only for the top-level keys, such as "b.b b\b", "c.c c" and "c ' c" above. The second-level key "[c.' 4]" was not changed to [c_'_4] but was escaped acording to how magic_quites_XXX are set.

Tested on PHP 4.4.0.

These magic_quotes are really black magic :(

It'll be good to make test against $_SESSION, but I can't do it today.
venimus at gmail dot com
11.07.2006 15:14
When you work with forms and databases you should use this concept:

1.When inserting the user input in DB escape $_POST/$_GET with add_slashes() or similar (to match the speciffic database escape rules)

$query='INSERT INTO users SET fullname="'.add_slashes($_POST['fullname']).'"';
insert_into_db($query);

2.When reading a previously submitted input from DB use html_special_chars to display an escaped result!

read_db_row('SELECT fullname FROM users');
echo '<input type="text" name="fullname" value="'.html_special_chars($db_row['fullname']).'" />

this way you safely store and work with the original(unescaped) data.
php at kaiundina dot de
3.02.2005 1:18
Escaping of key-strings in GPC-arrays behave different to the escaping of their values.

First I expected that keys in submitted gpc-arrays are never escaped.
Anyway. After I saw escaped keys, I assumed they're escaped according to the settings of magic quotes.
... it's even worse...

It took me over 2 days of testing to figure out the exact behavior and creating two functions (one for each php-version) that strips slashes reliably from any array submitted to a script. Hope this saves someones time and nerves.

The following is true for $_GET- and $_POST-arrays. I hope other arrays affected by magic quotes behave equally.
I did not test the behavior for cases where magic_quotes_sybase is set.

== legend for possible case combinations ==
Px = php version we're using
    P4 = php 4.3.9
    P5 = php 5.0.2

MQ = MagicQuotes GPC
    +MQ = magic quotes enabled
    -MQ = magic quotes disabled

TL = TopLevel key
    +TL = key is on top level (i.e. $_GET['myKey'])
    -TL = key is nested within another array (i.e. $_GET['myList']['myKey'])

AK = ArrayKey
    +AK = the value of the key is another array (i.e. is_array($_GET['myKey']) == true)
    -AK = the value is a normal string (i.e. is_string($_GET['myKey']) == true)

== legend for possible results ==
KE = KeyEscaping
    +KE = control chars are prefixed with a backslash
    -KE = key is returned as submitted and needn't to be stripped

VE = ValueEscaping (doesn't apply for array as value)
    +VE = control chars are prefixed with a backslash
    -VE = value is returned as submitted and needn't to be stripped

== here we go - the following rules apply ==
 1) P4 +MQ +AK +TL --> -KE
 2) P4 +MQ +AK -TL --> +KE
 3) P4 +MQ -AK +TL --> -KE +VE
 4) P4 +MQ -AK -TL --> +KE +VE
 5) P4 -MQ +AK +TL --> -KE
 6) P4 -MQ +AK -TL --> -KE
 7) P4 -MQ -AK +TL --> -KE -VE
 8) P4 -MQ -AK -TL --> -KE -VE
 9) P5 +MQ +AK +TL --> -KE
10) P5 +MQ +AK -TL --> +KE
11) P5 +MQ -AK +TL --> +KE +VE
12) P5 +MQ -AK -TL --> +KE +VE
13) P5 -MQ +AK +TL --> -KE
14) P5 -MQ +AK -TL --> -KE
15) P5 -MQ -AK +TL --> +KE -VE
16) P5 -MQ -AK -TL --> +KE -VE
17) The chars '.', ' ' are always replaced by '_' when used in keys.

Example (rule 15):
When running under php 5.0.2 having magic quotes disabled, gpc-keys on top level containing strings are escaped while their associated values are not.

== The following function will strip GPC-arrays for php 4.3.9 ==

<?php
function transcribe($aList, $aIsTopLevel = true) {
   
$gpcList = array();
   
$isMagic = get_magic_quotes_gpc();
   
    foreach (
$aList as $key => $value) {
       
$decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
        if (
is_array($value)) {
           
$decodedValue = transcribe($value, false);
        } else {
           
$decodedValue = ($isMagic)?stripslashes($value):$value;
        }
       
$gpcList[$decodedKey] = $decodedValue;
    }
    return
$gpcList;
}
?>


== The following function will strip GPC-arrays for php 5.0.2 ==
<?php
function transcribe($aList, $aIsTopLevel = true) {
   
$gpcList = array();
   
$isMagic = get_magic_quotes_gpc();
   
    foreach (
$aList as $key => $value) {
        if (
is_array($value)) {
           
$decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
           
$decodedValue = transcribe($value, false);
        } else {
           
$decodedKey = stripslashes($key);
           
$decodedValue = ($isMagic)?stripslashes($value):$value;
        }
       
$gpcList[$decodedKey] = $decodedValue;
    }
    return
$gpcList;
}
?>

Usage:

<?php
$unstrippedGET
= transcribe($_GET);
$unstrippedPOST = transcribe($_POST);
?>

Maybe someone is willing to test those combinations for other php-versions and with magic_quotes_sybase set to 'on' - let me know.
Sorry for this huge amount of text, but it's complete. I was unable to compress the decision table more than this.
stpierre-at-spamsucks.nebrwesleyan.edu
14.01.2005 17:51
I've found that, when working with Oracle (9i at least), you'll want to turn on magic_quotes_sybase.  I've read elsewhere that others have had the same experience.
eltehaem at poczta dot onet dot pl
26.11.2004 23:58
Please note, that when magic_quotes_gpc is set not only $_POST, $_GET, $_REQUEST, $_COOKIE arrays values are slashed. Actually every string value in $GLOBALS array is slashed, ie. $GLOBALS['_SERVER']['PATH_INFO'] (or $_SERVER['PATH_INFO']).



PHP Powered Diese Seite bei php.net
The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License © the PHP Documentation Group - Impressum - mail("TO:Reinhard Neidl",...)