SyntaxFix

[php] How to turn off magic quotes on shared hosting?

I want to turn off PHP's magic quotes. I don't have access to php.ini.

When I tried to add php_flag magic_quotes_gpc off to my .htaccess file, I get a 500 internal server error. This is what my .htaccess file looks like:

AddType x-mapp-php5 .php
php_flag magic_quotes_gpc off

Then I tried to use ini_set('magic_quotes_gpc', 'O'), but that had no effect.

How do I turn magic quotes off?

This question is related to php magic-quotes-gpc

The answer is

if your hosting provider using cpanel, you can try copying php.ini into your web directory and edit it with magic_quotes_gpc = off

The php_flag and php_value inside a .htaccess file are technically correct - but for PHP installed as an Apache module only. On a shared host you'll almost never find such a setup; PHP is run as a CGI instead, for reasons related to security (keeping your server neighbours out of your files) and the way phpsuexec runs scripts as 'you' instead of the apache user.

Apache is thus correct giving you a server error: it doesn't know about the meaning of php_flag unless the PHP module is loaded. A CGI binary is to Apache an external program instead, and you can't configure it from within Apache.

Now for the good news: you can set up per-directory configuration putting there a file named 'php.ini' and setting there your instructions using the same syntax as in the system's main php.ini. The PHP manual lists all settable directives: you can set those marked with PHP_INI_PERDIR or PHP_INI_ALL, while only the system administrator can set those marked PHP_INI_SYSTEM in the server-wide php.ini.

Note that such php.ini directives are not inherited by subdirectories, you'll have to give them their own php.ini.

How about $_SERVER ? 

if (get_magic_quotes_gpc() === 1) {

    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true); 
    $_SERVER = json_decode( stripslashes(json_encode($_SERVER,JSON_HEX_APOS)), true); 
}

This will solve the problem of getting "Class 'PDO' not found" when you create a local php.ini file.

If you can't turn off magic quotes using the htaccess file (for reasons already given by Pete Bailey) just:

  1. Create a text file
  2. Rename it to 'php.ini'

  3. Add the lines

    magic_quotes_gpc = Off
    magic_quotes_runtime = Off
    magic_quotes_sybase = Off
    extension=pdo.so
    extension=pdo_mysql.so

  4. Save it to the directory/ies in which your scripts are executing.

Update: if you want to have just one copy of the new php.ini file then add this line to your root .htaccess file:

SetEnv PHPRC /path/to/site/root/public_html/php.ini

Obviously you need to move the ini file to this location of it's not there already.

Hope that saves someone the 2 hours it's just taken me!

======================== =============== MY SOLUTION ============================ (rename your php.ini to php5.ini)

and in the top (!), add these:

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
extension=pdo.so
extension=pdo_mysql.so

then in .htaccess, add this (in the top):

SetEnv PHPRC /home/your_path/to/public_html/php5.ini

p.s. change /home/your_path/to/ correctly (you can see that path by executing the <?php phpinfo(); ?> command from a typical .php file.)

While I can't say why php_flag is giving you 500 Internal Server Errors, I will point out that the PHP manual has an example of detecting if magic quotes is on and stripping it from the superglobals at runtime. Unlike the others posted, this one is recursive and will correctly strip quotes from arrays:

Update: I noticed today that there's a new version of the following code on the PHP manual that uses references to the super-globals instead.

Old version:

<?php
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }

    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
?>

New version:

<?php
if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}
?>

I know I'm late to answer this, but I read most of the answers and while many were great, only djn actually explained why you were getting this 500 Internal Server Error.

While his explanation was 100% correct, this is a perfect example of why you should always wrap those in an <IfModule>. While this won't fix the actual problem of not being able to set those flags in your .htaccess, it will at least prevent the 500 error.

<IfModule mod_php5.c>
    # put all of your php_flags here, for example:
    php_flag magic_quotes_gpc off
</IfModule>

Or for older versions it would be <IfModule mod_php.c> etc.

I try to make a habit out of always doing this so as to avoid any such 500 errors. After that, just apply what Peter Bailey said.

BaileyP's answer is already pretty good, but I would use this condition instead:

if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc() === 1){
  $_POST = array_map( 'stripslashes', $_POST );
  $_GET = array_map( 'stripslashes', $_GET );
  $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}

It is more defensive.

  1. Does it work if you remove the AddType line? I'm not quite sure why that's relevant to turning magic quotes off.

  2. If PHP isn't running under mod_php, htaccess won't work. Does it work as a CGI?

This is one for your hosting company really.

If you're running PHP 5.3+ this will do the trick, place it at the topmost of your page:

if (get_magic_quotes_gpc() === 1)
{
    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
}

Handles keys, values and multi-dimensional arrays.

If you can't turn it off, here is what I usually do:

get_magic_quotes_gpc() ? $_POST['username'] : mysql_real_escape_string($_POST['username']);

It will be placed in the database in its proper format.

Different hosting providers have different procedures for doing this, so I would ask on their forums or file a support request.

If you can't turn them off, you could always using something like this which will escape input regardless of whether magic quotes are on or off:

//using mysqli

public function escapeString($stringToBeEscaped) {

    return $this->getConnection()->real_escape_string(stripslashes($stringToBeEscaped));
}

Source: Stackoverflow.com

Examples related to php

I am receiving warning in Facebook Application using PHP SDK Pass PDO prepared statement to variables Parse error: syntax error, unexpected [ Preg_match backtrack error Removing "http://" from a string How do I hide the PHP explode delimiter from submitted form results? Problems with installation of Google App Engine SDK for php in OS X Laravel 4 with Sentry 2 add user to a group on Registration php & mysql query not echoing in html with tags? How do I show a message in the foreach loop?

Examples related to magic-quotes-gpc

How to turn off magic quotes on shared hosting?

Tags

Addcallback Script-console Redirect Alt.net Absolute-value Morfik Satelliteforms Over-clause Mvvm-toolkit Ssms Popupcontrolextender Nstreecontroller Database-update Ear-file Http-status Mbox Unique-key Scrubyt Snoop User-warning Spinner Termios Iidentity Public-key-encryption Return-value-optimization Cancan Delimited Observers Menubar Custom-formatting Sql-in Pcspim Freebsd Vi Esent Contracts Svn-administraton Validationattribute Pythagorean Dolphin-cms Autoreconf Cakephp Helios Class-hierarchy Include Properties.settings Packaged-task Odbc Trac Nsnotifications Mutual-recursion Subpixel Recording Wadl Var Django-comments Oracleforms Complex-numbers Timeoutexception Linefeed Oracle10g Pyramid Getlasterror Django-managers Multiple-select-query Pep8-assembly Nutch Aio Avcomposition Directed-acyclic-graphs Dice Path Nshttpcookie Hyphen Mouse-pointer Tooling Firebird-embedded Lighty Website-payment-pro Ear Gpolygon Jstl Tessellation Mysqlpp Dev-null Updating Checkboxfor Raid Sqlbrowser Collabnet Xcconfig Analog-digital-converter Rgb Client-templates Orchestration X3d Fault-tolerant-heap Output-directory Static-media Ocsp