I'm writing a set of PHP scripts that'll be run in some different setups, some of them shared hosting with magic quotes on (the horror). Without the ability to control PHP or Apache configuration, can I do anything in my scripts to disable PHP quotes at runtime?
It'd be better if the code didn't assume magic quotes are on, so that I can use the same scripts on different hosts that might or might not have magic quotes.
Only magic_quoted_runtime can be disabled at runtime. But magic_quotes_gpc can’t be disabled at runtime (PHP_INI_ALL changable until PHP 4.2.3, since then PHP_INI_PERDIR); you can only remove them:
if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
}
For further information see Disabling Magic Quotes.
Magic quotes cannot be disabled at runtime, but you can use a .htaccess file in the directory to disable it.
php_flag magic_quotes_gpc off
The only real advantage this has is you can put it once in a directory and it works for the whole directory and subdirectories. Really nice if you need this for an application you didn't write and need to get it to work without magic quotes.
I have a little script for this similar to Gumbo's (but of course I like mine better :):
if(function_exists('get_magic_quotes_runtime') && get_magic_quotes_runtime())
set_magic_quotes_runtime(false);
if(get_magic_quotes_gpc()) {
array_stripslashes($_POST);
array_stripslashes($_GET);
array_stripslashes($_COOKIES);
}
function array_stripslashes(&$array) {
if(is_array($array))
while(list($key) = each($array))
if(is_array($array[$key]))
array_stripslashes($array[$key]);
else
$array[$key] = stripslashes($array[$key]);
}
Another solution for PHP 5.3+:
if (get_magic_quotes_gpc() === 1)
{
$_GET = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_GET, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
$_POST = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_POST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
$_COOKIE = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_COOKIE, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
$_REQUEST = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_REQUEST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
}
Handles keys, values and multi-dimensional arrays.
It cannot be done at runtime :(