get_magic_quotes_gpc

(PHP 3 >= 3.0.6, PHP 4, PHP 5)

get_magic_quotes_gpc --  Gets the current configuration setting of magic quotes gpc

Description

int get_magic_quotes_gpc ( void )

Returns the current configuration setting of magic_quotes_gpc (0 for off, 1 for on).

注: If the directive magic_quotes_sybase is ON it will completely override magic_quotes_gpc. So even when get_magic_quotes_gpc() returns TRUE neither double quotes, backslashes or NUL's will be escaped. Only single quotes will be escaped. In this case they'll look like: ''

Keep in mind that the setting magic_quotes_gpc will not work at runtime.

例子 1. get_magic_quotes_gpc() example

<?php
echo get_magic_quotes_gpc();         // 1
echo $_POST['lastname'];             // O\'reilly
echo addslashes($_POST['lastname']); // O\\\'reilly

if (!get_magic_quotes_gpc()) {
    
$lastname = addslashes($_POST['lastname']);
} else {
    
$lastname = $_POST['lastname'];
}

echo
$lastname; // O\'reilly
$sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";
?>

For more information about magic_quotes, see this security section.

See also addslashes(), stripslashes(), get_magic_quotes_runtime(), and ini_get().


add a note add a note User Contributed Notes
venimus at gmail dot com
11-Jul-2006 09:14
When you work with forms and databases you should use this concept:

1.When inserting the user input in DB escape $_POST/$_GET with add_slashes() or similar (to match the speciffic database escape rules)

$query='INSERT INTO users SET fullname="'.add_slashes($_POST['fullname']).'"';
insert_into_db($query);

2.When reading a previously submitted input from DB use html_special_chars to display an escaped result!

read_db_row('SELECT fullname FROM users');
echo '<input type="text" name="fullname" value="'.html_special_chars($db_row['fullname']).'" />

this way you safely store and work with the original(unescaped) data.
07-Feb-2006 08:56
All the code listed on this page is not necessary if you use the php_flag directive in a .htaccess file. This allows you to disable magic quotes completely, without the need to adjust your php.ini file or (re)process the user's input.

Just take a look at http://www.php.net/manual/en/security.magicquotes.php#55935

Gist of his note: in the .htaccess file, add a line

php_flag magic_quotes_gpc off

That's it. Thank you very much, richard dot spindler :) !
eddie dot bishop at gmail dot com
29-Oct-2005 10:31
If you have inputs like this in a form:

<input type=hidden name="one[bl's]" value="stuff's" />
<input type=hidden name="bl's" value="val's" />

and you submit it, the NAMES of the variables will ALWAYS be magic-quoted, even if magic_quotes is OFF. However, the VALUES of the variables will be magic-quoted only if magic-quotes is turned on.

In the above case, even if magic quotes is off, your POST data will look something like this:

$_POST = array(
   one = array(
       bl\'s = stuff's
   ),
   bl\'s = val's
)

Notice how the values of the variables were not magic-quoted, but the NAMES of the variables were quoted.
  
Tested in PHP 5.0.4, Windows NT 5.1 build 2600
php at kaiundina dot de
03-Feb-2005 08:18
Escaping of key-strings in GPC-arrays behave different to the escaping of their values.

First I expected that keys in submitted gpc-arrays are never escaped.
Anyway. After I saw escaped keys, I assumed they're escaped according to the settings of magic quotes.
... it's even worse...

It took me over 2 days of testing to figure out the exact behavior and creating two functions (one for each php-version) that strips slashes reliably from any array submitted to a script. Hope this saves someones time and nerves.

The following is true for $_GET- and $_POST-arrays. I hope other arrays affected by magic quotes behave equally.
I did not test the behavior for cases where magic_quotes_sybase is set.

== legend for possible case combinations ==
Px = php version we're using
   P4 = php 4.3.9
   P5 = php 5.0.2

MQ = MagicQuotes GPC
   +MQ = magic quotes enabled
   -MQ = magic quotes disabled

TL = TopLevel key
   +TL = key is on top level (i.e. $_GET['myKey'])
   -TL = key is nested within another array (i.e. $_GET['myList']['myKey'])

AK = ArrayKey
   +AK = the value of the key is another array (i.e. is_array($_GET['myKey']) == true)
   -AK = the value is a normal string (i.e. is_string($_GET['myKey']) == true)

== legend for possible results ==
KE = KeyEscaping
   +KE = control chars are prefixed with a backslash
   -KE = key is returned as submitted and needn't to be stripped

VE = ValueEscaping (doesn't apply for array as value)
   +VE = control chars are prefixed with a backslash
   -VE = value is returned as submitted and needn't to be stripped

== here we go - the following rules apply ==
 1) P4 +MQ +AK +TL --> -KE
 2) P4 +MQ +AK -TL --> +KE
 3) P4 +MQ -AK +TL --> -KE +VE
 4) P4 +MQ -AK -TL --> +KE +VE
 5) P4 -MQ +AK +TL --> -KE
 6) P4 -MQ +AK -TL --> -KE
 7) P4 -MQ -AK +TL --> -KE -VE
 8) P4 -MQ -AK -TL --> -KE -VE
 9) P5 +MQ +AK +TL --> -KE
10) P5 +MQ +AK -TL --> +KE
11) P5 +MQ -AK +TL --> +KE +VE
12) P5 +MQ -AK -TL --> +KE +VE
13) P5 -MQ +AK +TL --> -KE
14) P5 -MQ +AK -TL --> -KE
15) P5 -MQ -AK +TL --> +KE -VE
16) P5 -MQ -AK -TL --> +KE -VE
17) The chars '.', ' ' are always replaced by '_' when used in keys.

Example (rule 15):
When running under php 5.0.2 having magic quotes disabled, gpc-keys on top level containing strings are escaped while their associated values are not.

== The following function will strip GPC-arrays for php 4.3.9 ==
function transcribe($aList, $aIsTopLevel = true) {
   $gpcList = array();
   $isMagic = get_magic_quotes_gpc();
  
   foreach ($aList as $key => $value) {
       $decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
       if (is_array($value)) {
           $decodedValue = transcribe($value, false);
       } else {
           $decodedValue = ($isMagic)?stripslashes($value):$value;
       }
       $gpcList[$decodedKey] = $decodedValue;
   }
   return $gpcList;
}

== The following function will strip GPC-arrays for php 5.0.2 ==
function transcribe($aList, $aIsTopLevel = true) {
   $gpcList = array();
   $isMagic = get_magic_quotes_gpc();
  
   foreach ($aList as $key => $value) {
       if (is_array($value)) {
           $decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
           $decodedValue = transcribe($value, false);
       } else {
           $decodedKey = stripslashes($key);
           $decodedValue = ($isMagic)?stripslashes($value):$value;
       }
       $gpcList[$decodedKey] = $decodedValue;
   }
   return $gpcList;
}

Usage:
$unstrippedGET = transcribe($_GET);
$unstrippedPOST = transcribe($_POST);

Maybe someone is willing to test those combinations for other php-versions and with magic_quotes_sybase set to 'on' - let me know.
Sorry for this huge amount of text, but its complete. I was unable to compress the the decision table more than this.
stpierre-at-spamsucks.nebrwesleyan.edu
15-Jan-2005 12:51
I've found that, when working with Oracle (9i at least), you'll want to turn on magic_quotes_sybase.  I've read elsewhere that others have had the same experience.
eltehaem at poczta dot onet dot pl
27-Nov-2004 06:58
Please note, that when magic_quotes_gpc is set not only $_POST, $_GET, $_REQUEST, $_COOKIE arrays values are slashed. Actually every string value in $GLOBALS array is slashed, ie. $GLOBALS['_SERVER']['PATH_INFO'] (or $_SERVER['PATH_INFO']).