get_magic_quotes_gpc

Please note, that when magic_quotes_gpc is set not only $_POST, $_GET, $_REQUEST, $_COOKIE arrays values are slashed. Actually every string value in $GLOBALS array is slashed, ie. $GLOBALS['_SERVER']['PATH_INFO'] (or $_SERVER['PATH_INFO']).

Here's what I came up with to remove magic quotes from request data.Replaces two single-quotes with one if magic_quotes_sybase are on, otherwise it just strips slashes.Note that the `foreach` style makes this work only with PHP 5 and above.<?php// Strip magic quotes from request data.if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {    // Create lamba style unescaping function (for portability)    $quotes_sybase = strtolower(ini_get('magic_quotes_sybase'));    $unescape_function = (empty($quotes_sybase) || $quotes_sybase === 'off') ? 'stripslashes($value)' : 'str_replace("\'\'","\'",$value)';    $stripslashes_deep = create_function('&$value, $fn', '        if (is_string($value)) {            $value = ' . $unescape_function . ';        } else if (is_array($value)) {            foreach ($value as &$v) $fn($v, $fn);        }    ');        // Unescape data    $stripslashes_deep($_POST, $stripslashes_deep);    $stripslashes_deep($_GET, $stripslashes_deep);    $stripslashes_deep($_COOKIE, $stripslashes_deep);    $stripslashes_deep($_REQUEST, $stripslashes_deep);}?>

Re: php at kaiundina dot de (03-Feb-2005 02:18)1. magic_quotes_gpc=on/off and magic_quotes_sybase=on/offI made test and your function worked right. These were the <input ... /> names I used:name="a"name="b.b b\b"name="c[c.1]"name="c[c 2]"name="c[c\3]"name="c.c c[c.' 4]"name="c ' c[c&quot;4]"name="d&quot;[d&quot;1]"(I used &quot; because I don't know other way to put " into the name)and the user-input value:a ' " \ \' \" \\ a2. > 17) The chars '.', ' ' are always replaced by '_' when used in keys.This is true only for the top-level keys, such as "b.b b\b", "c.c c" and "c ' c" above. The second-level key "[c.' 4]" was not changed to [c_'_4] but was escaped acording to how magic_quites_XXX are set.Tested on PHP 4.4.0.These magic_quotes are really black magic :(It'll be good to make test against $_SESSION, but I can't do it today.

Escaping of key-strings in GPC-arrays behave different to the escaping of their values.

First I expected that keys in submitted gpc-arrays are never escaped.
Anyway. After I saw escaped keys, I assumed they're escaped according to the settings of magic quotes.
... it's even worse...

It took me over 2 days of testing to figure out the exact behavior and creating two functions (one for each php-version) that strips slashes reliably from any array submitted to a script. Hope this saves someones time and nerves.

The following is true for $_GET- and $_POST-arrays. I hope other arrays affected by magic quotes behave equally.
I did not test the behavior for cases where magic_quotes_sybase is set.

== legend for possible case combinations ==
Px = php version we're using
    P4 = php 4.3.9
    P5 = php 5.0.2

MQ = MagicQuotes GPC
    +MQ = magic quotes enabled
    -MQ = magic quotes disabled

TL = TopLevel key
    +TL = key is on top level (i.e. $_GET['myKey'])
    -TL = key is nested within another array (i.e. $_GET['myList']['myKey'])

AK = ArrayKey
    +AK = the value of the key is another array (i.e. is_array($_GET['myKey']) == true)
    -AK = the value is a normal string (i.e. is_string($_GET['myKey']) == true)

== legend for possible results ==
KE = KeyEscaping
    +KE = control chars are prefixed with a backslash
    -KE = key is returned as submitted and needn't to be stripped

VE = ValueEscaping (doesn't apply for array as value)
    +VE = control chars are prefixed with a backslash
    -VE = value is returned as submitted and needn't to be stripped

== here we go - the following rules apply ==
 1) P4 +MQ +AK +TL --> -KE
 2) P4 +MQ +AK -TL --> +KE
 3) P4 +MQ -AK +TL --> -KE +VE
 4) P4 +MQ -AK -TL --> +KE +VE
 5) P4 -MQ +AK +TL --> -KE
 6) P4 -MQ +AK -TL --> -KE
 7) P4 -MQ -AK +TL --> -KE -VE
 8) P4 -MQ -AK -TL --> -KE -VE
 9) P5 +MQ +AK +TL --> -KE
10) P5 +MQ +AK -TL --> +KE
11) P5 +MQ -AK +TL --> +KE +VE
12) P5 +MQ -AK -TL --> +KE +VE
13) P5 -MQ +AK +TL --> -KE
14) P5 -MQ +AK -TL --> -KE
15) P5 -MQ -AK +TL --> +KE -VE
16) P5 -MQ -AK -TL --> +KE -VE
17) The chars '.', ' ' are always replaced by '_' when used in keys.

Example (rule 15):
When running under php 5.0.2 having magic quotes disabled, gpc-keys on top level containing strings are escaped while their associated values are not.

== The following function will strip GPC-arrays for php 4.3.9 ==

<?php
function transcribe($aList, $aIsTopLevel = true) {
    $gpcList = array();
    $isMagic = get_magic_quotes_gpc();
    
    foreach ($aList as $key => $value) {
        $decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
        if (is_array($value)) {
            $decodedValue = transcribe($value, false);
        } else {
            $decodedValue = ($isMagic)?stripslashes($value):$value;
        }
        $gpcList[$decodedKey] = $decodedValue;
    }
    return $gpcList;
}
?>


== The following function will strip GPC-arrays for php 5.0.2 ==
<?php
function transcribe($aList, $aIsTopLevel = true) {
    $gpcList = array();
    $isMagic = get_magic_quotes_gpc();
    
    foreach ($aList as $key => $value) {
        if (is_array($value)) {
            $decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
            $decodedValue = transcribe($value, false);
        } else {
            $decodedKey = stripslashes($key);
            $decodedValue = ($isMagic)?stripslashes($value):$value;
        }
        $gpcList[$decodedKey] = $decodedValue;
    }
    return $gpcList;
}
?>

Usage:

<?php
$unstrippedGET = transcribe($_GET);
$unstrippedPOST = transcribe($_POST);
?>

Maybe someone is willing to test those combinations for other php-versions and with magic_quotes_sybase set to 'on' - let me know.
Sorry for this huge amount of text, but it's complete. I was unable to compress the decision table more than this.

<?php
function stripper($stringvar){
    if (1 == get_magic_quotes_gpc()){
        $stringvar = stripslashes($stringvar);
    }
    return $stringvar;
}
?>

Usage:

<?php
$Body = stripper($rs->fields('Body'));
echo($Body);
?>

This checks if get_magic_quotes_gpc() is on and strips a string variable for output if its on. Useful if the dev server and live server are set up different.

@ dot dot dot dot dot alexander at gmail dot com

I suggest replacing foreach by "stripslashes_deep":

Example #2 Using stripslashes() on an array on 
<http://www.php.net/manual/en/function.stripslashes.php>:

<?php
function stripslashes_deep($value)
{
    $value = is_array($value) ?
                array_map('stripslashes_deep', $value) :
                stripslashes($value);

    return $value;
}
?>

This gives:

<?php
if((function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc())    || (ini_get('magic_quotes_sybase') && (strtolower(ini_get('magic_quotes_sybase'))!="off")) ){
    stripslashes_deep($_GET);
    stripslashes_deep($_POST);
    stripslashes_deep($_COOKIE);
}
?>

When you work with forms and databases you should use this concept:1.When inserting the user input in DB escape $_POST/$_GET with add_slashes() or similar (to match the speciffic database escape rules)$query='INSERT INTO users SET fullname="'.add_slashes($_POST['fullname']).'"';insert_into_db($query);2.When reading a previously submitted input from DB use html_special_chars to display an escaped result!read_db_row('SELECT fullname FROM users');echo '<input type="text" name="fullname" value="'.html_special_chars($db_row['fullname']).'" />this way you safely store and work with the original(unescaped) data.

Just a little correction:( Because of the ini_get function that may return a string value of "off" that evaluates to TRUE )<?php        if(               (  function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc()  )             || (  ini_get('magic_quotes_sybase') && ( strtolower(ini_get('magic_quotes_sybase')) != "off" )  )           ){            foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v);            foreach($_POST as $k => $v) $_POST[$k] = stripslashes($v);            foreach($_COOKIE as $k => $v) $_COOKIE[$k] = stripslashes($v);        }?>

> "If the directive magic_quotes_sybase is ON it will completely override magic_quotes_gpc."This "note" is a bit misleading. magic_quotes_sybase will only override the escaping method used on Get/Post/Cookie data if magic_quotes_gpc is already enabled. If magic_quotes_gpc is not enabled then magic_quotes_sybase will have no effect here.A few of the other comments are therefore incorrect in determining when to "stripslashes" from the input, by "stripping slashes" when either magic_quotes_gpc OR magic_quotes_sybase is enabled. You should only stripslashes() when magic_quotes_gpc is enabled since that is the only time when slashes are automatically added.stripslashes() is also magic_quotes_sybase aware, so you don't need to do anything special (ie. write a custom function to handle this situation as another comment suggests) when magic_quotes_sybase is enabled. When magic_quotes_sybase is enabled, stripslashes() does not actually strip any slashes, but instead unescapes single-quotes that are escaped with single-quotes only.magic_quotes_sybase does however influence the escaping (and unescaping) method used by addslashes() and stripslashes() respectively, regardless of whether magic_quotes_gpc (or magic_quotes_runtime) is enabled.