Richard Lynch wrote:
> On Mon, June 4, 2007 9:02 am, Dave M G wrote:
>> I've read on the manual that it's "preferred to code with magic quotes
>> off and to instead escape the data at runtime, as needed":
>>
>> Recently, while configuring my PHP so as to install the GD libraries,
>> that the default option was to have magic quotes turned on.
>
> What version of PHP did you install?...
>
> I'm pretty sure they turned MQ off by default in PHP5...
>
>> I just want to double check here what to do. Should I disable magic
>> quotes on my server?
>
> YES!
>
> Turn the dang thing off!
>
>> Also, I'm developing code that I hope others can use. For the purposes
>> of portability, is it safe to assume that most environments will have
>> magic quotes off, and build for that?
>
> Nope.
>
> Use something not unlike:
> if (ini_get('magic_quotes_gpc')){
> array_map('stripslashes', $_GET);
> array_map('stripslashes', $_POST);
> array_map('stripslashes', $_COOKIE);
> array_map('stripslashes', $_REQUEST);
> }
a few problems with this:
1. array_map doesn't change the input array(s) - so in this example, $_GET et al are not actually
changed.
2. there is a fair chance that these arrays may sometimes contain subarrays and it's therefore
necessary to actually recurse into any found subarrays and perform stripslashes on each
value found there.
I would suggest something like (although this is untested, I'm not 100% sure the 'by reference' 2nd
argument is done in the correct manner and there may also be restrictions as to using functions
like array_walk_recursive() on super global varaibles):
$ss = 'stripslashes';
array_walk_recursive($_GET, &$ss);
so alternatively (a method I know for sure does work - but is a little less clean, given it uses assignment and
a userland recursive function):
function ssRecursive($v) {
return is_array($v) ? array_map('ssRecursive', $v) : stripslashes($v);
}
$_GET = ssRecursive($_GET);
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
