关闭魔术引号

magic_quotes_gpc 指令只能在系统级关闭，不能在运行时。也就是说不能用 ini_set()。

例 31-1. 在服务器端关闭魔术引号

下面是一个通过 php.ini 文件把这些选项设为 Off 的范例。更多信息请参见本手册的怎样修改配置设定。

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

如果不能修改服务器端的配置文件，使用 .htaccess 也可以。范例如下：

php_flag magic_quotes_gpc Off

为了能写出移植性较强的代码（可以运行于任何环境），例如不能修改服务器配置的情况，下面的例子可以在运行时关闭 magic_quotes_gpc。但是这样做比较低效，适当的修改配置才是更好的办法。

例 31-2. 在运行时关闭魔术引号


<?php
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }

    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
?>

add a note User Contributed Notes

17-Dec-2006 08:20


PHP's magic quotes function has the strange behavior of not adding slashes to top level keys in GPC key/value pairs but adding the slashes in deeper level keys. To demonstrate, a URI of:



example.php?a'b[c'd]=e'f

produces:

array("a'b" => array("c\'d" => "e\'f"))



The current example for removing magic quotes does not do anything to keys, so after running stripslashes_deep, you would end up with:

array("a'b" => array("c\'d" => "e'f"))



Which, needless to say, is wrong. As if you had magic quotes off, it would have been:

array("a'b" => array("c'd" => "e'f"))



I have written a snippet of code compatible with PHP 4.0.0 and above that handles this correctly:



if (get_magic_quotes_gpc()) {

    function undoMagicQuotes($array, $topLevel=true) {

        $newArray = array();

        foreach($array as $key => $value) {

            if (!$topLevel) {

                $key = stripslashes($key);

            }

            if (is_array($value)) {

                $newArray[$key] = undoMagicQuotes($value, false);

            }

            else {

                $newArray[$key] = stripslashes($value);

            }

        }

        return $newArray;

    }

    $_GET = undoMagicQuotes($_GET);

    $_POST = undoMagicQuotes($_POST);

    $_COOKIE = undoMagicQuotes($_COOKIE);

    $_REQUEST = undoMagicQuotes($_REQUEST);

}

sunrunner20
25-Nov-2006 03:10


If php_flag magic_quotes_gpc off does not work

Use php_value magic_quotes_gpc off

insteadin your .htaccess file

rdk
08-Sep-2006 06:44


The function parse_str() (http://us3.php.net/manual/en/function.parse-str.php) is also affected by magic_quotes_gpc, so if that function is called anywhere, stripslashes_deep won't be sufficient by itself.

dedlfix
20-Aug-2006 12:18


The function stripslashes_deep() ignores slashes in the keys



For example a query string like this: ?foo'bar=baz'bal



Output of var_dump($_GET) is:



array(1) {

  ["foo\'bar"]=>

  string(8) "baz\'bal"

}



after stripslashes_deep():



array(1) {

  ["foo\'bar"]=>

  string(7) "baz'bal"

}



If you want the keys to be stripslashed too, you have to unset() the addslahed key and to add a stripslashed version. But keep in mind that this will change the order of the array.

add a note