search for in the  
<get_loaded_extensionsget_magic_quotes_runtime>
Last updated: Thu, 19 May 2005

get_magic_quotes_gpc

(PHP 3 >= 3.0.6, PHP 4, PHP 5)

get_magic_quotes_gpc --  Gets the current configuration setting of magic quotes gpc

Description

int get_magic_quotes_gpc ( void )

Returns the current configuration setting of magic_quotes_gpc (0 for off, 1 for on).

Note: If the directive magic_quotes_sybase is ON it will completely override magic_quotes_gpc. So even when get_magic_quotes_gpc() returns TRUE neither double quotes, backslashes or NUL's will be escaped. Only single quotes will be escaped. In this case they'll look like: ''

Keep in mind that the setting magic_quotes_gpc will not work at runtime.

Example 1. get_magic_quotes_gpc() example

<?php
echo get_magic_quotes_gpc();        // 1
echo $_POST['lastname'];            // O\'reilly
echo addslashes($_POST['lastname']); // O\\\'reilly

if (!get_magic_quotes_gpc()) {
   $lastname = addslashes($_POST['lastname']);
} else {
   $lastname = $_POST['lastname'];
}

echo $lastname; // O\'reilly
$sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";
?>

For more information about magic_quotes, see this security section.

See also addslashes(), stripslashes(), get_magic_quotes_runtime(), and ini_get().



User Contributed Notes
get_magic_quotes_gpc
aderyn (gmail.com)
20-Apr-2005 08:13
This is the most common solution to the problem mentioned above.

function stripslashes_deep($value)
{
   return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value));
}

if (get_magic_quotes_gpc())
{
   $_GET    = array_map('stripslashes_deep', $_GET);
   $_POST  = array_map('stripslashes_deep', $_POST);
   $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
Stephen
16-Mar-2005 01:44
Beware when using the code posted by "theaxe at thefrozensea dot net" - if any of your G/P/C arrays contain other arrays, they will be broken - running stripslashes on an array just returns "Array" rather than the actual array. Some sort recursive function would be good in that case...
theaxe at thefrozensea dot net
14-Mar-2005 05:46
Without a doubt smart quotes are a nuisance.

The following seems to do the trick on PHP 4.3.10.

// if magic quotes on then get rid of them
if (get_magic_quotes_gpc()) {
   $_GET    = array_map('stripslashes', $_GET);
   $_POST  = array_map('stripslashes', $_POST);
   $_COOKIE = array_map('stripslashes', $_COOKIE);
}

credit to:

http://www.sitepoint.com/blog-post-view.php?id=176388
Caya
24-Feb-2005 09:14
If get_magic_quotes_gpc() is 1 (on) then the Get, Post and Cookie data is dirty (you have something in memory the user didn't type). You need to clean it up by calling stripslashes.

I use this code snippet:

   function cleanArray(&$arr) {
               foreach($arr as $k => $v)
                       if (is_array($v))
                               cleanArray($arr[$k]);
                       else
                               $arr[$k] = stripslashes($v);
   }

   /// before processing anything in PHP do
   if (get_magic_quotes()) {
     cleanArray($_POST);
     cleanArray($_COOKIE);
     cleanArray($_GET);
   }
 
   // here if the user typed O'Connell, you have [O]['][C][o][n][n][e][l][l]
   // in your variable in memory (say $name=$_POST['name']).
   // (I use [ ] to represent individual characters here. Don't be confused)
   // All pattern matching etc, you do with that variable works as
   // expected (strlen is 9 not 10, for example!).
   // Of course, sending this back to the user by HTML involves using
   // htmlentities($var), to store in DB use addslashes($var), to send as
   // plain email use it content as it is, etc.

The above code implies that you need to be aware of what a variable is supposed to have to handle it properly (Isn't this obvious? So, why a global behaviour like magic_quotes in the first place? well... that's life...).

If you can change you webshoting setting I recommend magic_quotes=no.
php at kaiundina dot de
02-Feb-2005 07:18
Escaping of key-strings in GPC-arrays behave different to the escaping of their values.

First I expected that keys in submitted gpc-arrays are never escaped.
Anyway. After I saw escaped keys, I assumed they're escaped according to the settings of magic quotes.
... it's even worse...

It took me over 2 days of testing to figure out the exact behavior and creating two functions (one for each php-version) that strips slashes reliably from any array submitted to a script. Hope this saves someones time and nerves.

The following is true for $_GET- and $_POST-arrays. I hope other arrays affected by magic quotes behave equally.
I did not test the behavior for cases where magic_quotes_sybase is set.

== legend for possible case combinations ==
Px = php version we're using
   P4 = php 4.3.9
   P5 = php 5.0.2

MQ = MagicQuotes GPC
   +MQ = magic quotes enabled
   -MQ = magic quotes disabled

TL = TopLevel key
   +TL = key is on top level (i.e. $_GET['myKey'])
   -TL = key is nested within another array (i.e. $_GET['myList']['myKey'])

AK = ArrayKey
   +AK = the value of the key is another array (i.e. is_array($_GET['myKey']) == true)
   -AK = the value is a normal string (i.e. is_string($_GET['myKey']) == true)

== legend for possible results ==
KE = KeyEscaping
   +KE = control chars are prefixed with a backslash
   -KE = key is returned as submitted and needn't to be stripped

VE = ValueEscaping (doesn't apply for array as value)
   +VE = control chars are prefixed with a backslash
   -VE = value is returned as submitted and needn't to be stripped

== here we go - the following rules apply ==
 1) P4 +MQ +AK +TL --> -KE
 2) P4 +MQ +AK -TL --> +KE
 3) P4 +MQ -AK +TL --> -KE +VE
 4) P4 +MQ -AK -TL --> +KE +VE
 5) P4 -MQ +AK +TL --> -KE
 6) P4 -MQ +AK -TL --> -KE
 7) P4 -MQ -AK +TL --> -KE -VE
 8) P4 -MQ -AK -TL --> -KE -VE
 9) P5 +MQ +AK +TL --> -KE
10) P5 +MQ +AK -TL --> +KE
11) P5 +MQ -AK +TL --> +KE +VE
12) P5 +MQ -AK -TL --> +KE +VE
13) P5 -MQ +AK +TL --> -KE
14) P5 -MQ +AK -TL --> -KE
15) P5 -MQ -AK +TL --> +KE -VE
16) P5 -MQ -AK -TL --> +KE -VE
17) The chars '.', ' ' are always replaced by '_' when used in keys.

Example (rule 15):
When running under php 5.0.2 having magic quotes disabled, gpc-keys on top level containing strings are escaped while their associated values are not.

== The following function will strip GPC-arrays for php 4.3.9 ==
function transcribe($aList, $aIsTopLevel = true) {
   $gpcList = array();
   $isMagic = get_magic_quotes_gpc();
  
   foreach ($aList as $key => $value) {
       $decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
       if (is_array($value)) {
           $decodedValue = transcribe($value, false);
       } else {
           $decodedValue = ($isMagic)?stripslashes($value):$value;
       }
       $gpcList[$decodedKey] = $decodedValue;
   }
   return $gpcList;
}

== The following function will strip GPC-arrays for php 5.0.2 ==
function transcribe($aList, $aIsTopLevel = true) {
   $gpcList = array();
   $isMagic = get_magic_quotes_gpc();
  
   foreach ($aList as $key => $value) {
       if (is_array($value)) {
           $decodedKey = ($isMagic && !$aIsTopLevel)?stripslashes($key):$key;
           $decodedValue = transcribe($value, false);
       } else {
           $decodedKey = stripslashes($key);
           $decodedValue = ($isMagic)?stripslashes($value):$value;
       }
       $gpcList[$decodedKey] = $decodedValue;
   }
   return $gpcList;
}

Usage:
$unstrippedGET = transcribe($_GET);
$unstrippedPOST = transcribe($_POST);

Maybe someone is willing to test those combinations for other php-versions and with magic_quotes_sybase set to 'on' - let me know.
Sorry for this huge amount of text, but its complete. I was unable to compress the the decision table more than this.
stpierre-at-spamsucks.nebrwesleyan.edu
14-Jan-2005 11:51
I've found that, when working with Oracle (9i at least), you'll want to turn on magic_quotes_sybase.  I've read elsewhere that others have had the same experience.
eltehaem at poczta dot onet dot pl
26-Nov-2004 05:58
Please note, that when magic_quotes_gpc is set not only $_POST, $_GET, $_REQUEST, $_COOKIE arrays values are slashed. Actually every string value in $GLOBALS array is slashed, ie. $GLOBALS['_SERVER']['PATH_INFO'] (or $_SERVER['PATH_INFO']).
pestilence
12-Nov-2004 03:00
In the example above, the author forgets to include $_REQUEST, which is also slashed (using PHP 4.3.8).

It's good practice to include a routine to "unslash" or "slash" variables, if something happens that isn't to your expectation.  However your PHP is written to depend on this option, it becomes important to support either when or if others deploy your code.

---------------------------------------------------------------------
If you have written for having this option disabled:
---------------------------------------------------------------------

 if (get_magic_quotes_gpc()) unfck_gpc();

 function unfck($v) {
   return is_array($v) ? array_map('unfck', $v) : stripslashes($v);
 }

 function unfck_gpc() {
   foreach (array('POST', 'GET', 'REQUEST', 'COOKIE') as $gpc)
   $GLOBALS["_$gpc"] = array_map('unfck', $GLOBALS["_$gpc"]);
 }

---------------------------------------------------------------------
If you have written for having this option enabled:
---------------------------------------------------------------------

 if (!get_magic_quotes_gpc()) unfck_gpc();

 function unfck($v) {
   return is_array($v) ? array_map('unfck', $v) : addslashes($v);
 }

 function unfck_gpc() {
   foreach (array('POST', 'GET', 'REQUEST', 'COOKIE') as $gpc)
   $GLOBALS["_$gpc"] = array_map('unfck', $GLOBALS["_$gpc"]);
 }

---------------------------------------------------------------------

Including either code block, depending on how your PHP is written, will ensure that it will operate the same regardless of this configuration option.

<get_loaded_extensionsget_magic_quotes_runtime>
 Last updated: Thu, 19 May 2005
Copyright © 2001-2005 The PHP Group
All rights reserved.		 This unofficial mirror is operated at: The Server Pages
Last updated: Thu May 19 18:35:34 2005 EDT