get_magic_quotes_gpc — Gets the current configuration setting of magic_quotes_gpc
This function has beenDEPRECATED as of PHP 7.4.0, and REMOVED as of PHP 8.0.0. Relying on this functionis highly discouraged.Description
get_magic_quotes_gpc(): boolParameters
This function has no parameters.Return Values
Always returns false.ChangelogVersionDescription7.4.0This function has been deprecated.
heiko dot richler at informatik dot fh-nuernberg dot de ¶
@ dot dot dot dot dot alexander at gmail dot com
I suggest replacing foreach by "stripslashes_deep":
Example #2 Using stripslashes() on an array on
<:" rel="nofollow" target="_blank">http://www.php.net/manual/en/function.stripslashes.php>:
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
?>
This gives:
if((function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc()) || (ini_get('magic_quotes_sybase') && (strtolower(ini_get('magic_quotes_sybase'))!="off")) ){
stripslashes_deep($_GET);
stripslashes_deep($_POST);
stripslashes_deep($_COOKIE);
}
?>
eltehaem at poczta dot onet dot pl ¶
Please note, that when magic_quotes_gpc is set not only $_POST, $_GET, $_REQUEST, $_COOKIE arrays values are slashed. Actually every string value in $GLOBALS array is slashed, ie. $GLOBALS['_SERVER']['PATH_INFO'] (or $_SERVER['PATH_INFO']).
slonmron_no_spam_please_ at yahoo dot com ¶
Re: php at kaiundina dot de (03-Feb-2005 02:18)
1. magic_quotes_gpc=on/off and magic_quotes_sybase=on/off
I made test and your function worked right. These were the names I used:name="a"name="b.b b\b"name="c[c.1]"name="c[c 2]"name="c[c\3]"name="c.c c[c.' 4]"name="c ' c[c"4]"name="d"[d"1]"
(I used " because I don't know other way to put " into the name)
and the user-input value:a ' " \ \' \" \\ a
2. > 17) The chars '.', ' ' are always replaced by '_' when used in keys.
This is true only for the top-level keys, such as "b.b b\b", "c.c c" and "c ' c" above. The second-level key "[c.' 4]" was not changed to [c_'_4] but was escaped acording to how magic_quites_XXX are set.
These magic_quotes are really black magic :(
It'll be good to make test against $_SESSION, but I can't do it today.
Here's what I came up with to remove magic quotes from request data.
Replaces two single-quotes with one if magic_quotes_sybase are on, otherwise it just strips slashes.
Note that the `foreach` style makes this work only with PHP 5 and above.
louis at greynoise dot co dot uk ¶
function stripper($stringvar){
if (1 == get_magic_quotes_gpc()){
$stringvar = stripslashes($stringvar);
}
return $stringvar;
}
?>
Usage:
$Body = stripper($rs->fields('Body'));
echo($Body);
?>
This checks if get_magic_quotes_gpc() is on and strips a string variable for output if its on. Useful if the dev server and live server are set up different.
Escaping of key-strings in GPC-arrays behave different to the escaping of their values.
First I expected that keys in submitted gpc-arrays are never escaped.
Anyway. After I saw escaped keys, I assumed they're escaped according to the settings of magic quotes.
... it's even worse...
It took me over 2 days of testing to figure out the exact behavior and creating two functions (one for each php-version) that strips slashes reliably from any array submitted to a script. Hope this saves someones time and nerves.
The following is true for $_GET- and $_POST-arrays. I hope other arrays affected by magic quotes behave equally.
I did not test the behavior for cases where magic_quotes_sybase is set.
== legend for possible case combinations ==
Px = php version we're using
P4 = php 4.3.9
P5 = php 5.0.2
MQ = MagicQuotes GPC
+MQ = magic quotes enabled
-MQ = magic quotes disabled
TL = TopLevel key
+TL = key is on top level (i.e. $_GET['myKey'])
-TL = key is nested within another array (i.e. $_GET['myList']['myKey'])
AK = ArrayKey
+AK = the value of the key is another array (i.e. is_array($_GET['myKey']) == true)
-AK = the value is a normal string (i.e. is_string($_GET['myKey']) == true)
== legend for possible results ==
KE = KeyEscaping
+KE = control chars are prefixed with a backslash
-KE = key is returned as submitted and needn't to be stripped
VE = ValueEscaping (doesn't apply for array as value)
+VE = control chars are prefixed with a backslash
-VE = value is returned as submitted and needn't to be stripped
== here we go - the following rules apply ==
1) P4 +MQ +AK +TL --> -KE
2) P4 +MQ +AK -TL --> +KE
3) P4 +MQ -AK +TL --> -KE +VE
4) P4 +MQ -AK -TL --> +KE +VE
5) P4 -MQ +AK +TL --> -KE
6) P4 -MQ +AK -TL --> -KE
7) P4 -MQ -AK +TL --> -KE -VE
8) P4 -MQ -AK -TL --> -KE -VE
9) P5 +MQ +AK +TL --> -KE
10) P5 +MQ +AK -TL --> +KE
11) P5 +MQ -AK +TL --> +KE +VE
12) P5 +MQ -AK -TL --> +KE +VE
13) P5 -MQ +AK +TL --> -KE
14) P5 -MQ +AK -TL --> -KE
15) P5 -MQ -AK +TL --> +KE -VE
16) P5 -MQ -AK -TL --> +KE -VE
17) The chars '.', ' ' are always replaced by '_' when used in keys.
Example (rule 15):
When running under php 5.0.2 having magic quotes disabled, gpc-keys on top level containing strings are escaped while their associated values are not.
== The following function will strip GPC-arrays for php 4.3.9 ==
function transcribe($aList, $aIsTopLevel = true) {
$gpcList = array();
$isMagic = get_magic_quotes_gpc();
foreach ($aList as $key => $value) {
$decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
if (is_array($value)) {
$decodedValue = transcribe($value, false);
} else {
$decodedValue = ($isMagic)?stripslashes($value):$value;
}
$gpcList[$decodedKey] = $decodedValue;
}
return $gpcList;
}
?>
Tidak ada komentar:
Posting Komentar