How can I disable PHP magic quotes at runtime?

2020-01-29 14:49发布

问题:

I'm writing a set of PHP scripts that'll be run in some different setups, some of them shared hosting with magic quotes on (the horror). Without the ability to control PHP or Apache configuration, can I do anything in my scripts to disable PHP quotes at runtime?

It'd be better if the code didn't assume magic quotes are on, so that I can use the same scripts on different hosts that might or might not have magic quotes.

回答1:

Only magic_quoted_runtime can be disabled at runtime. But magic_quotes_gpc can’t be disabled at runtime (PHP_INI_ALL changable until PHP 4.2.3, since then PHP_INI_PERDIR); you can only remove them:

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

For further information see Disabling Magic Quotes.



回答2:

Magic quotes cannot be disabled at runtime, but you can use a .htaccess file in the directory to disable it.

php_flag magic_quotes_gpc off

The only real advantage this has is you can put it once in a directory and it works for the whole directory and subdirectories. Really nice if you need this for an application you didn't write and need to get it to work without magic quotes.



回答3:

I have a little script for this similar to Gumbo's (but of course I like mine better :):

if(function_exists('get_magic_quotes_runtime') && get_magic_quotes_runtime())
    set_magic_quotes_runtime(false);

if(get_magic_quotes_gpc()) {
    array_stripslashes($_POST);
    array_stripslashes($_GET);
    array_stripslashes($_COOKIES);
}

function array_stripslashes(&$array) {
    if(is_array($array))
        while(list($key) = each($array))
            if(is_array($array[$key]))
                array_stripslashes($array[$key]);
            else
                $array[$key] = stripslashes($array[$key]);
}


回答4:

Another solution for PHP 5.3+:

if (get_magic_quotes_gpc() === 1)
{
    $_GET = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_GET, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
    $_POST = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_POST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
    $_COOKIE = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_COOKIE, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
    $_REQUEST = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_REQUEST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
}

Handles keys, values and multi-dimensional arrays.



回答5:

It cannot be done at runtime :(