Magic quotes how to

Q:"I just need you to clear up one or two things with magic quotes.
I`ve been reading up on them, but just need to know that I`m doing
the right thing."

To break it down to a very low level for sake of clarity, both
configuration options are for adding slashes to data. The difference
is from where the data is obtained:
>
> magic-quotes-gpc ------> browser (via get, post, cookie)
> magic_quotes_runtime --> database
>
If the directive is off, no slashes will be added automatically. If
on, slashes are magically added. The example in the PHP manual
illustrates this point for us:


<?php
echo get_magic_quotes_gpc(); # ........... 1 <-- it's on,
adds slashes magically!
echo $_POST['lastname']; # ............... O\'reilly
echo addslashes($_POST['lastname']); # ... O\\\'reilly

if (!get_magic_quotes_gpc()) {
$lastname = addslashes($_POST['lastname']);
} else {
$lastname = $_POST['lastname'];
}
echo $lastname; # ........................ O\'reilly
$sql = "INSERT INTO lastnames (lastname) VALUES
('$lastname')";
?>

It is extremely important that you understand how your server is
configured before you read data and write data to and from your
browser and/or your database tables! See what could happen if we
added slashes to the posted variable and then wrote the value to our
table called lastnames? We would have incorrect data! The column
lastname would contain O\'reilly, which is not what we want!

Here it is from the PHP Manual pages:
-------------------------------------
magic_quotes_gpc
Sets the magic_quotes state for gpc (Get/Post/Cookie) operations. When
magic_quotes are on, all ' (single-quote), " (double quote), \
(backslash) and NUL's are escaped with a backslash automatically.

magic_quotes_runtime
If magic_quotes_runtime is enabled, most functions that return data
from any sort of external source including databases and text files
will have quotes escaped with a backslash.

Important Note!
The Sybase functions have a very specific impact on these settings
when used!

These are fun configuration options, no doubt. These two configuration
directives are two that can really throw your code into a tizzy if
you program or use copies on different servers and the servers are
configured differently (and you don't have any control over the
configuration, such as hosting on a shared server). I tend to program
one way or the other (for example, assume both options are always
off), and ALWAYS check the implementation before bringing the code up
live. One good thing is that both configuration options can be
modified by dropping your own .htaccess file in the parent directory
of your code and override your server settings (assuming Apache is
configured to allow per-directory overrides).

Conclusion. Use the following code somewhere in the
config/setup/common file you include into all other files to have an
independent tratment of the quotes along your code:

[code:1:4a2d8965be]
if (!get_magic_quotes_gpc() ) {
if( is_array($_GET) ) $_GET =
addslashes_array($_GET);
if( is_array($_POST) ) $_POST =
addslashes_array($_POST);
if( is_array($_REQUEST) ) $_REQUEST =
addslashes_array($_REQUEST);
if( is_array($_COOKIE) ) $_COOKIE =
addslashes_array($_COOKIE);
}
set_magic_quotes_runtime(0);

function addslashes_array($arr) {
foreach ($arr as $k=>$v) {
if( is_array($arr[$k]) ){
$arr[$k] =
addslashes_array($arr[$k]);
@reset($arr[$k]);
}else{
$arr[$k] = addslashes($v);
}
}
@reset($arr[$k]);
return $arr;
}
[/code:1:4a2d8965be]
--
member of http://forum.bitcontent.com