[ACCEPTED]-How to turn off magic quotes on shared hosting?-magic-quotes-gpc

As per the manual you can often install a custom php.ini 15 on shared hosting, where mod_php isn't used 14 and the php_value directive thus leads to an error. For 13 suexec/FastCGI setups it is quite common 12 to have a per-webspace php.ini in any case.

--

I 11 don't think O (uppercase letter o) is a 10 valid value to set an ini flag. You need 9 to use a true/false, 1/0, or "on"/"off" value.

ini_set( 'magic_quotes_gpc', 0 );   // doesn't work

EDIT

After 8 checking the list of ini settings, I see that magic_quotes_gpc 7 is a PHP_INI_PERDIR setting (after 4.2.3), which means 6 you can't change it with ini_set() (only PHP_INI_ALL settings 5 can be changed with ini_set())

What this means is 4 you have to use an .htaccess file to do 3 this - OR - implement a script to reverse 2 the effects of magic quotes. Something 1 like this

if ( in_array( strtolower( ini_get( 'magic_quotes_gpc' ) ), array( '1', 'on' ) ) )
{
    $_POST = array_map( 'stripslashes', $_POST );
    $_GET = array_map( 'stripslashes', $_GET );
    $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}

While I can't say why php_flag is giving 10 you 500 Internal Server Errors, I will point out that the PHP manual has an 9 example of detecting if magic quotes is 8 on and stripping it from the superglobals 7 at runtime. Unlike the others posted, this 6 one is recursive and will correctly strip 5 quotes from arrays:

Update: I noticed today 4 that there's a new version of the following 3 code on the PHP manual that uses references 2 to the super-globals instead.

Old version:

<?php
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }

    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
?>

New 1 version:

<?php
if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}
?>

This will solve the problem of getting "Class 13 'PDO' not found" when you create a local 12 php.ini file.

If you can't turn off magic 11 quotes using the htaccess file (for reasons 10 already given by Pete Bailey) just:

1. Create a text file
2. Rename it to 'php.ini'

3. Add the 9 lines

   magic_quotes_gpc = Off
   magic_quotes_runtime 8 = Off
   magic_quotes_sybase = Off
   extension=pdo.so
   extension=pdo_mysql.so

4. Save 7 it to the directory/ies in which your scripts 6 are executing.

Update: if you want to have 5 just one copy of the new php.ini file then 4 add this line to your root .htaccess file:

SetEnv PHPRC /path/to/site/root/public_html/php.ini

Obviously 3 you need to move the ini file to this location 2 of it's not there already.

Hope that saves 1 someone the 2 hours it's just taken me!

The php_flag and php_value inside a .htaccess 24 file are technically correct - but for PHP 23 installed as an Apache module only. On a 22 shared host you'll almost never find such 21 a setup; PHP is run as a CGI instead, for 20 reasons related to security (keeping your 19 server neighbours out of your files) and 18 the way phpsuexec runs scripts as 'you' instead 17 of the apache user.

Apache is thus correct 16 giving you a server error: it doesn't know 15 about the meaning of php_flag unless the 14 PHP module is loaded. A CGI binary is to 13 Apache an external program instead, and 12 you can't configure it from within Apache.

Now 11 for the good news: you can set up per-directory 10 configuration putting there a file named 9 'php.ini' and setting there your instructions using 8 the same syntax as in the system's main 7 php.ini. The PHP manual lists all settable directives: you 6 can set those marked with PHP_INI_PERDIR 5 or PHP_INI_ALL, while only the system administrator 4 can set those marked PHP_INI_SYSTEM in the 3 server-wide php.ini.

Note that such php.ini 2 directives are not inherited by subdirectories, you'll 1 have to give them their own php.ini.

======================== =============== MY 6 SOLUTION ============================ (rename 5 your php.ini to php5.ini)

and in the top 4 (!), add these:

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
extension=pdo.so
extension=pdo_mysql.so

then in .htaccess, add this 3 (in the top):

SetEnv PHPRC /home/your_path/to/public_html/php5.ini

p.s. change /home/your_path/to/ correctly (you 2 can see that path by executing the <?php phpinfo(); ?> command 1 from a typical .php file.)

If you're running PHP 5.3+ this will do 3 the trick, place it at the topmost of your 2 page:

if (get_magic_quotes_gpc() === 1)
{
    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
}

Handles keys, values and multi-dimensional 1 arrays.

if your hosting provider using cpanel, you 2 can try copying php.ini into your web directory and 1 edit it with magic_quotes_gpc = off

I know I'm late to answer this, but I read 11 most of the answers and while many were 10 great, only djn actually explained why you were getting this 500 Internal Server Error.

While 9 his explanation was 100% correct, this is 8 a perfect example of why you should always 7 wrap those in an <IfModule>. While this won't fix 6 the actual problem of not being able to 5 set those flags in your .htaccess, it will at least prevent the 500 error.

<IfModule mod_php5.c>
    # put all of your php_flags here, for example:
    php_flag magic_quotes_gpc off
</IfModule>

Or for older 4 versions it would be <IfModule mod_php.c> etc.

I try to make 3 a habit out of always doing this so as to 2 avoid any such 500 errors. After that, just 1 apply what Peter Bailey said.

Different hosting providers have different 6 procedures for doing this, so I would ask 5 on their forums or file a support request.

If 4 you can't turn them off, you could always 3 using something like this which will escape 2 input regardless of whether magic quotes 1 are on or off:

//using mysqli

public function escapeString($stringToBeEscaped) {

    return $this->getConnection()->real_escape_string(stripslashes($stringToBeEscaped));
}

1. Does it work if you remove the AddType line? I'm 5 not quite sure why that's relevant to turning 4 magic quotes off.

2. If PHP isn't running under 3 mod_php, htaccess won't work. Does it work 2 as a CGI?

This is one for your hosting company 1 really.

BaileyP's answer is already pretty good, but 2 I would use this condition instead:

if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc() === 1){
  $_POST = array_map( 'stripslashes', $_POST );
  $_GET = array_map( 'stripslashes', $_GET );
  $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}

It is 1 more defensive.

How about $_SERVER ?

if (get_magic_quotes_gpc() === 1) {

    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true); 
    $_SERVER = json_decode( stripslashes(json_encode($_SERVER,JSON_HEX_APOS)), true); 
}

0