[php] magic_gpc_quotes - Disable?

[deadimp]

Could I get this disabled on my account? Thacmus works alright with it on, but when getting data directly from POST (such as an ajax request) I don't exactly format it.

On that note, does anyone really use it?

 

[Bryon]

It's nice to have enabled on a server with a lot of other people, ones who may not be as security-conscious as others. It's a decent deterrent to SQL injection attacks. (I'm stressing the decent there, it's by no means sufficient to fully protect against it.)

We're working on a way to enable/disable PHP directives on a per user basis, which hopefully we'll be able to do soon. So for right now, it's going to stay on.

For now, you can use something such as this to check for/reverse the affect of magic_quotes_gpc:

      if(get_magic_quotes_gpc()) {
         if(ini_get('magic_quotes_sybase')) {
             $example = str_replace("''", "'", $_POST['example']);
         } else {
             $example = stripslashes($_POST['example']);
         }
      } else {
          $example = $_POST['example'];
      }

You could probably use array_walk or something and have it go through $_REQUEST/POST/GET automatically on every page load also.

 

[deadimp]

I have a formatting function for like that in place, but I wanted to avoid manually formatting the array.