Which superglobals are affected by magic_quotes_gpc = 1?

Question

By looking at the name of this directive one may think that magic_quotes are only applied to $_GET, $_POST and $_COOKIE superglobals but there is one perturbing comment on the PHP Manual:

Please note, that when magic_quotes_gpc is set not only $_POST, $_GET, $_REQUEST, $_COOKIE arrays values are slashed. Actually every string value in $GLOBALS array is slashed, ie. $GLOBALS['_SERVER']['PATH_INFO'] (or $_SERVER['PATH_INFO']).

Can anyone confirm that this is true? Are the superglobals $GLOBALS, $_SERVER, $_FILES, $_SESSION and $_ENV affected as well?

One more question, if I iterate stripslashes() over the $_GET, $_POST and $_COOKIE arrays do I also need to iterate through the $_REQUEST array? Or are the changes automatically reflected?

Answer 1

I've run some tests on LightTPD 1.4.20 and PHP 5.3.0 with magic_quotes_gpc = On and $_SERVER wasn't altered (at least [SERVER_NAME] => local'host didn't). $_SESSION also isn't affected by magic_quotes.

$_GET, $_POST, $_COOKIE and $_REQUEST were affected (and their $GLOBALS counterparts).

Also, the changes in the GPC superglobals aren't automatically reflected in $_REQUEST.

As for the $_FILES and $_ENV superglobals I'm not able to test them ATM.

Answer 2

Either way i'd advise you not to rely on GPC as it has been deprecated on newer PHP versions...

It may not be too relevant for your question but on the raised issue of SQL security alternatives i usually use prepared statements + mysql_real_escape_string for MySQL.

To make it close to perfect it involves a couple of functions as it also should support integer, boolean and null values but you can take a look at the source code on the Database and Database_mysql classes on NaturePhp .