Magic Quotes Off, Still Slashes

Question

I have $_POST variables incoming in from tags that have slashes on quotes. I know that magic quotes are off, and use the if (get_magic_quotes_gpc()) statement to stripslashes in case they are. However, slashes are still getting added. Why is that?

Form

<form method="POST" action="">
<input type="text" name="spe_set" />
<input type="submit" value="Submit" />
</form>

PHP

print_r($_POST['spe_set']); // if I wrote "Test's", this prints as "Test\'s"

So, I did,

if ( get_magic_quotes_gpc() )
    $tempvar = stripslashes($_POST['spe_set']);
else
    $tempvar = $_POST['spe_set'];

print_r($tempvar); // Still says "Test\'s"

Answer 1

I can't find any reference online to get_magic_quotes_gpc() returning a faulty result anywhere online, so I'll instead give you a checklist to try to narrow down the issue (this should probably be a comment, but it's way too long for that):

The first thing I would do is try to edit the php.ini file to ensure magic_quotes_gpc really is set to be off. The best place to try this is to create/edit a php.ini file in the same directory as the script that's having issues, as that's the last place you can override an INI setting before getting to the script (and global_quotes_gpc can't be overridden lower than that since by the time the script runs the damage has already been done).

In your php.ini file, add the following lines:

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

Only the first of those will affect POST variables ("gpc" stands for "Get, Post, and Cookies"), but it's good to set them all since they all suck.

After setting these lines, you can be sure that magic quotes really is off. If this fixes the issue, then you need to walk up the directory structure looking for where it got turned on in the first place. This could be in a higher-directory php.ini file, an .htaccess file, or even your http.conf file. You may want to get your host involved if you're not sure what you're doing here.

If the problem persists, then you should check for any calls to the addslashes() function in your script. This is easy if you're on linux as you can run the command grep -ir "addslashes" * from the root directory for your project. If you're running on Windows, you should look into Cygwin, unxutils, or another unix-layer. I absolutely love unxutils, and it's one of the first things I install on a Windows setup or at a new job.

While I don't see why any framework would have something like this built in, I suppose it's possible that some idiot might try it. For that reason, you should probably make sure you grep over your framework files as well. Be sure to check any php.ini files provided with the framework, although that should be covered in what I already described above.

Finally, you should make sure to set error_reporting to E_ALL | E_STRICT. This can be done from the php.ini file, or using the error_reporting() function. Make sure this is set before any other PHP runs. You should always develop with the highest error reporting setting so that you can see every error, no matter how small, before it gets in front of a user. To make sure you can see these errors, also make sure that display errors is enabled as well.

Although the code sample you've pasted into your question is valid, I mentioned error_reporting just in case it's not a direct copy/paste from your code, or on the off chance there's some other code that's causing an error. By setting the error reporting, you can see any errors that could be blocking the correct functioning of get_magic_quotes_gpc() or stripslashes(). If you can fix those errors, the rest of your code will work as intended.

Good luck.

Answer 2

sometimes you are on a stupid old system like an old xtcommerce. there is a file /admin/includes/functions/compatibility.php with a function that does "the magic" by self:

if (!get_magic_quotes_gpc()) {
    do_magic_quotes_gpc($_GET);
    do_magic_quotes_gpc($_POST);
    do_magic_quotes_gpc($_COOKIE);
}

..you should stop this by editing the condition or remove it.