How can I disable PHP magic quotes at runtime?

Question

I'm writing a set of PHP scripts that'll be run in some different setups, some of them shared hosting with magic quotes on (the horror). Without the ability to control PHP or Apache configuration, can I do anything in my scripts to disable PHP quotes at runtime?

It'd be better if the code didn't assume magic quotes are on, so that I can use the same scripts on different hosts that might or might not have magic quotes.

Answer 1

Only magic_quoted_runtime can be disabled at runtime. But magic_quotes_gpc can’t be disabled at runtime (PHP_INI_ALL changable until PHP 4.2.3, since then PHP_INI_PERDIR). You could just remove them:

if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }

    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}

For further information see Disabling Magic Quotes.

Answer 2

It cannot be done at runtime :(

Answer 3

Magic quotes cannot be disabled at runtime, but you can use a .htaccess file in the directory to disable it.

php_flag magic_quotes_gpc off

The only real advantage this has is you can put it once in a directory and it works for the whole directory and subdirectories. Really nice if you need this for an application you didn't write and need to get it to work without magic quotes.

Answer 4

I have a little script for this similar to Gumbo's (but of course I like mine better :):

if(function_exists('get_magic_quotes_runtime') && get_magic_quotes_runtime())
    set_magic_quotes_runtime(false);

if(get_magic_quotes_gpc()) {
    array_stripslashes($_POST);
    array_stripslashes($_GET);
    array_stripslashes($_COOKIES);
}

function array_stripslashes(&$array) {
    if(is_array($array))
        while(list($key) = each($array))
            if(is_array($array[$key]))
                array_stripslashes($array[$key]);
            else
                $array[$key] = stripslashes($array[$key]);
}

Answer 5

Another solution for PHP 5.3+:

if (get_magic_quotes_gpc() === 1)
{
    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
}

Handles keys, values and multi-dimensional arrays.

Answer 6

PHP.net has updated their docs and suggests a way of doing it. I've tested it and it seems to work very well (and fast). http://www.php.net/manual/en/security.magicquotes.disabling.php

<?php
if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}
?>