>PHP: get_magic_quotes_gpc

DescripciÃ³n

int get_magic_quotes_gpc ( void )

Devuelve el valor actual de configuraciÃ³n de magic_quotes_gpc (0 si estÃ¡ deshabilitado, 1 de lo contrario).

Nota: Si la directiva magic_quotes_sybase se encuentra habilitada (ON), sobrescribirÃ¡ completamente magic_quotes_gpc. AsÃ que aun cuando get_magic_quotes_gpc() devuelve TRUE, ni las comillas dobles, ni las barras invertidas o caracteres NUL serÃ¡n escapados. SÃ³lo las comillas sencillas serÃ¡n escapadas. En este caso se verÃ¡n de este modo: ''

Tenga en cuenta que el parÃ¡metro magic_quotes_gpc no funcionarÃ¡ en tiempo de ejecuciÃ³n.

Ejemplo 1. Ejemplo de get_magic_quotes_gpc()

<?php echo get_magic_quotes_gpc(); // 1 echo $_POST['apellido']; // O\'reilly echo addslashes($_POST['apellido']); // O\\\'reilly if (!get_magic_quotes_gpc()) { $apellido = addslashes($_POST['apellido']); } else { $apellido = $_POST['apellido']; } echo $apellido; // O\'reilly $sql = "INSERT INTO apellidos (apellido) VALUES ('$apellido')"; ?>

Para mÃ¡s informaciÃ³n sobre magic_quotes, vea esta secciÃ³n de seguridad.

Vea tambiÃ©n addslashes(), stripslashes(), get_magic_quotes_runtime(), y ini_get().

add a note User Contributed Notes
get_magic_quotes_gpc

venimus at gmail dot com
11-Jul-2006 06:14


When you work with forms and databases you should use this concept:



1.When inserting the user input in DB escape $_POST/$_GET with add_slashes() or similar (to match the speciffic database escape rules)



$query='INSERT INTO users SET fullname="'.add_slashes($_POST['fullname']).'"';

insert_into_db($query);



2.When reading a previously submitted input from DB use html_special_chars to display an escaped result!



read_db_row('SELECT fullname FROM users');

echo '<input type="text" name="fullname" value="'.html_special_chars($db_row['fullname']).'" />



this way you safely store and work with the original(unescaped) data.

07-Feb-2006 04:56


All the code listed on this page is not necessary if you use the php_flag directive in a .htaccess file. This allows you to disable magic quotes completely, without the need to adjust your php.ini file or (re)process the user's input.



Just take a look at http://www.php.net/manual/en/http://indices.com.es/security.magicquotes.html#55935



Gist of his note: in the .htaccess file, add a line



php_flag magic_quotes_gpc off



That's it. Thank you very much, richard dot spindler :) !

eddie dot bishop at gmail dot com
29-Oct-2005 07:31


If you have inputs like this in a form:



<input type=hidden name="one[bl's]" value="stuff's" />

<input type=hidden name="bl's" value="val's" />



and you submit it, the NAMES of the variables will ALWAYS be magic-quoted, even if magic_quotes is OFF. However, the VALUES of the variables will be magic-quoted only if magic-quotes is turned on.



In the above case, even if magic quotes is off, your POST data will look something like this:



$_POST = array(

    one = array(

        bl\'s = stuff's

    ),

    bl\'s = val's

)



Notice how the values of the variables were not magic-quoted, but the NAMES of the variables were quoted.

    

Tested in PHP 5.0.4, Windows NT 5.1 build 2600

php at kaiundina dot de
02-Feb-2005 04:18


Escaping of key-strings in GPC-arrays behave different to the escaping of their values.



First I expected that keys in submitted gpc-arrays are never escaped.

Anyway. After I saw escaped keys, I assumed they're escaped according to the settings of magic quotes.

... it's even worse...



It took me over 2 days of testing to figure out the exact behavior and creating two functions (one for each php-version) that strips slashes reliably from any array submitted to a script. Hope this saves someones time and nerves.



The following is true for $_GET- and $_POST-arrays. I hope other arrays affected by magic quotes behave equally.

I did not test the behavior for cases where magic_quotes_sybase is set.



== legend for possible case combinations ==

Px = php version we're using

    P4 = php 4.3.9

    P5 = php 5.0.2



MQ = MagicQuotes GPC

    +MQ = magic quotes enabled

    -MQ = magic quotes disabled



TL = TopLevel key

    +TL = key is on top level (i.e. $_GET['myKey'])

    -TL = key is nested within another array (i.e. $_GET['myList']['myKey'])



AK = ArrayKey

    +AK = the value of the key is another array (i.e. is_array($_GET['myKey']) == true)

    -AK = the value is a normal string (i.e. is_string($_GET['myKey']) == true)



== legend for possible results ==

KE = KeyEscaping

    +KE = control chars are prefixed with a backslash

    -KE = key is returned as submitted and needn't to be stripped



VE = ValueEscaping (doesn't apply for array as value)

    +VE = control chars are prefixed with a backslash

    -VE = value is returned as submitted and needn't to be stripped



== here we go - the following rules apply ==

 1) P4 +MQ +AK +TL --> -KE

 2) P4 +MQ +AK -TL --> +KE

 3) P4 +MQ -AK +TL --> -KE +VE

 4) P4 +MQ -AK -TL --> +KE +VE

 5) P4 -MQ +AK +TL --> -KE

 6) P4 -MQ +AK -TL --> -KE

 7) P4 -MQ -AK +TL --> -KE -VE

 8) P4 -MQ -AK -TL --> -KE -VE

 9) P5 +MQ +AK +TL --> -KE

10) P5 +MQ +AK -TL --> +KE

11) P5 +MQ -AK +TL --> +KE +VE

12) P5 +MQ -AK -TL --> +KE +VE

13) P5 -MQ +AK +TL --> -KE

14) P5 -MQ +AK -TL --> -KE

15) P5 -MQ -AK +TL --> +KE -VE

16) P5 -MQ -AK -TL --> +KE -VE

17) The chars '.', ' ' are always replaced by '_' when used in keys.



Example (rule 15):

When running under php 5.0.2 having magic quotes disabled, gpc-keys on top level containing strings are escaped while their associated values are not.



== The following function will strip GPC-arrays for php 4.3.9 ==

function transcribe($aList, $aIsTopLevel = true) {

    $gpcList = array();

    $isMagic = get_magic_quotes_gpc();

    

    foreach ($aList as $key => $value) {

        $decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;

        if (is_array($value)) {

            $decodedValue = transcribe($value, false);

        } else {

            $decodedValue = ($isMagic)?stripslashes($value):$value;

        }

        $gpcList[$decodedKey] = $decodedValue;

    }

    return $gpcList;

}



== The following function will strip GPC-arrays for php 5.0.2 ==

function transcribe($aList, $aIsTopLevel = true) {

    $gpcList = array();

    $isMagic = get_magic_quotes_gpc();

    

    foreach ($aList as $key => $value) {

        if (is_array($value)) {

            $decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;

            $decodedValue = transcribe($value, false);

        } else {

            $decodedKey = stripslashes($key);

            $decodedValue = ($isMagic)?stripslashes($value):$value;

        }

        $gpcList[$decodedKey] = $decodedValue;

    }

    return $gpcList;

}



Usage:

$unstrippedGET = transcribe($_GET);

$unstrippedPOST = transcribe($_POST);



Maybe someone is willing to test those combinations for other php-versions and with magic_quotes_sybase set to 'on' - let me know.

Sorry for this huge amount of text, but its complete. I was unable to compress the the decision table more than this.

stpierre-at-spamsucks.nebrwesleyan.edu
14-Jan-2005 08:51


I've found that, when working with Oracle (9i at least), you'll want to turn on magic_quotes_sybase.  I've read elsewhere that others have had the same experience.

eltehaem at poczta dot onet dot pl
26-Nov-2004 02:58


Please note, that when magic_quotes_gpc is set not only $_POST, $_GET, $_REQUEST, $_COOKIE arrays values are slashed. Actually every string value in $GLOBALS array is slashed, ie. $GLOBALS['_SERVER']['PATH_INFO'] (or $_SERVER['PATH_INFO']).

add a note

MANUAL DE PHP

windsurf mercedes camper

get_magic_quotes_gpc

DescripciÃ³n