How to turn off magic quotes on shared hosting?

2020-01-22 13:10发布

I want to turn off PHP's magic quotes. I don't have access to php.ini.

When I tried to add php_flag magic_quotes_gpc off to my .htaccess file, I get a 500 internal server error. This is what my .htaccess file looks like:

AddType x-mapp-php5 .php
php_flag magic_quotes_gpc off

Then I tried to use ini_set('magic_quotes_gpc', 'O'), but that had no effect.

How do I turn magic quotes off?

13条回答
闹够了就滚
2楼-- · 2020-01-22 13:59

If you can't turn it off, here is what I usually do:

get_magic_quotes_gpc() ? $_POST['username'] : mysql_real_escape_string($_POST['username']);

It will be placed in the database in its proper format.

查看更多
祖国的老花朵
3楼-- · 2020-01-22 14:03

This will solve the problem of getting "Class 'PDO' not found" when you create a local php.ini file.

If you can't turn off magic quotes using the htaccess file (for reasons already given by Pete Bailey) just:

  1. Create a text file
  2. Rename it to 'php.ini'
  3. Add the lines

    magic_quotes_gpc = Off
    magic_quotes_runtime = Off
    magic_quotes_sybase = Off
    extension=pdo.so
    extension=pdo_mysql.so

  4. Save it to the directory/ies in which your scripts are executing.

Update: if you want to have just one copy of the new php.ini file then add this line to your root .htaccess file:

SetEnv PHPRC /path/to/site/root/public_html/php.ini

Obviously you need to move the ini file to this location of it's not there already.

Hope that saves someone the 2 hours it's just taken me!

查看更多
放我归山
4楼-- · 2020-01-22 14:06

The php_flag and php_value inside a .htaccess file are technically correct - but for PHP installed as an Apache module only. On a shared host you'll almost never find such a setup; PHP is run as a CGI instead, for reasons related to security (keeping your server neighbours out of your files) and the way phpsuexec runs scripts as 'you' instead of the apache user.

Apache is thus correct giving you a server error: it doesn't know about the meaning of php_flag unless the PHP module is loaded. A CGI binary is to Apache an external program instead, and you can't configure it from within Apache.

Now for the good news: you can set up per-directory configuration putting there a file named 'php.ini' and setting there your instructions using the same syntax as in the system's main php.ini. The PHP manual lists all settable directives: you can set those marked with PHP_INI_PERDIR or PHP_INI_ALL, while only the system administrator can set those marked PHP_INI_SYSTEM in the server-wide php.ini.

Note that such php.ini directives are not inherited by subdirectories, you'll have to give them their own php.ini.

查看更多
霸刀☆藐视天下
5楼-- · 2020-01-22 14:07

Different hosting providers have different procedures for doing this, so I would ask on their forums or file a support request.

If you can't turn them off, you could always using something like this which will escape input regardless of whether magic quotes are on or off:

//using mysqli

public function escapeString($stringToBeEscaped) {

    return $this->getConnection()->real_escape_string(stripslashes($stringToBeEscaped));
}
查看更多
Explosion°爆炸
6楼-- · 2020-01-22 14:08

if your hosting provider using cpanel, you can try copying php.ini into your web directory and edit it with magic_quotes_gpc = off

查看更多
聊天终结者
7楼-- · 2020-01-22 14:11

How about $_SERVER ?

if (get_magic_quotes_gpc() === 1) {

    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true); 
    $_SERVER = json_decode( stripslashes(json_encode($_SERVER,JSON_HEX_APOS)), true); 
}
查看更多
登录 后发表回答