Friday, 5 May 2017

Best method of disabling php magic quotes without php.ini or .htaccess



I am needing to write portable code that will run on a shared server with magic_qoutes_gpc enabled and I am unable to change that in php.ini or .htaccess. (the server is running php 5.2)



It seems there are numerous functions to stripslaches from all of the $_GET, $_POST etc superglobals but I'm not sure which is the best. Also some comments here seem to say that the keys also have slashes added which need to be stripped as well. So should I use the one on the PHP website:



if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);

while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}

}
unset($process);
}


or something like this: (from this answer: PHP - Shorter Magic Quotes Solution)



function strip_slashes_recursive(&$value) {
if (!is_array($value)) {
$value = strip_slashes($value);

} else {
foreach (array_keys($value) as $key) {
$arrayValue = strip_slashes_recursive($value[$key]);
unset($value[$key]);
$value[strip_slashes($key)] = $arrayValue;
}
}
}

foreach (array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST) as &$array) {

strip_slashes_recursive($array);
}
// don't forget to unset references or it can lead to very nasty bugs
unset($array);


or even something like this:



if (get_magic_quotes_gpc()) {
function undoMagicQuotes($array, $topLevel=true) {

$newArray = array();
foreach($array as $key => $value) {
if (!$topLevel) {
$key = stripslashes($key);
}
if (is_array($value)) {
$newArray[$key] = undoMagicQuotes($value, false);
}
else {
$newArray[$key] = stripslashes($value);

}
}
return $newArray;
}
$_GET = undoMagicQuotes($_GET);
$_POST = undoMagicQuotes($_POST);
$_COOKIE = undoMagicQuotes($_COOKIE);
$_REQUEST = undoMagicQuotes($_REQUEST);
}



Can someone explain the pros/cons of each approach and/or a totally different approach and how thorough they are and if they strip slashes from the key as well as the value.



(also is this method any good: PHP: how to (correctly) remove escaped quotes in arrays when Magic Quotes are ON)
(and also it seems like all of these methods are incomplete as they don't strip slashes from all the affected superglobals Which superglobals are affected by magic_quotes_gpc = 1?)


Answer



Here's another one mostly from PHP: how to (correctly) remove escaped quotes in arrays when Magic Quotes are ON but with my own changes:



if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
function unMagicQuotify($array) {
$fixed = array();

foreach ($array as $key=>$val) {
if (is_array($val)) {
$fixed[stripslashes($key)] = unMagicQuotify($val);
} else {
$fixed[stripslashes($key)] = stripslashes($val);
}
}
return $fixed;
}


$_GET = unMagicQuotify($_GET);
$_POST = unMagicQuotify($_POST);
$_COOKIE = unMagicQuotify($_COOKIE);
$_REQUEST = unMagicQuotify($_REQUEST);
$_FILES = unMagicQuotify($_FILES);
}


Pro's





  • They work for both arrays and single variables

  • Does strip the key

  • Does not use references



Con's




  • May change the order of variables




Note the inclusion of $_FILES as magic quotes also affects it.
As for reading a file (file_get_contents) and/or using php://input I couldn't tell whether magic quotes affects them, but you would have to stripslashes() as and when you are reading them and would not be able to do something like this. I didn't manage to check $HTTP_RAW_POST_DATA but it isn't populated by default so things should be ok leaving it out.


No comments:

Post a Comment

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...