PHP
downloads | documentation | faq | getting help | mailing lists | reporting bugs | php.net sites | links | conferences | my php.net

search for in the

Pourquoi utiliser les guillemets magiques?> <Données transmises par les internautes
Last updated: Fri, 20 Jun 2008

view this page in

Guillemets magiques

Sommaire

Avertissement

Cette fonctionnalité est OBSOLETE et a été supprimée depuis PHP 6.0.0. Nous vous encourageons vivement à ne pas l'utiliser.

Les guillemets magiques (littéralement, les Magic Quotes) est un processus qui protège automagiquement les données introduites dans un script PHP. Il est recommandé de développer les applications sans l'aide des guillemets magiques, et de protéger manuellement les données.

Qu'est-ce que les guillemets magiques?

Lorsque cette directive est active, les guillemets simples ', les guillemets doubles ", les antislashs \ et les caractères null NULL sont protégés automatiquement avec un antislash. C'est le même résultat que celui de la fonction addslashes().

Il y a trois directives de guillemets magiques différentes :

  • magic_quotes_gpc Affecte les données issues des requêtes HTTP (GET, POST, et COOKIE). Ne peut pas être configurée durant l'exécution, et vaut par défaut on en PHP. Voir aussi get_magic_quotes_gpc().
  • magic_quotes_runtime Si activée, la plupart des fonctions qui retournent des données externes, y compris issues d'une base de données ou d'un fichier texte, verront les données protégées par des antislashs. Cette directive peut être modifiée durant l'exécution, et vaut par défaut off en PHP Voir aussi set_magic_quotes_runtime() et get_magic_quotes_runtime().
  • magic_quotes_sybase Si cette configuration est active, les guillemets simples sont protégés avec un autre guillemets simples, et non pas un antislash. Lorsqu'elle est active, cette directive remplace entièrement magic_quotes_gpc. Si vous activez ces deux directives, alors seuls les guillemets simples seront protégés, avec ''. Les guillemets doubles, les antislashs et les caractères null seront laissés intacts. Voir aussi ini_get() pour lire la valeur de la directive.


Pourquoi utiliser les guillemets magiques?> <Données transmises par les internautes
Last updated: Fri, 20 Jun 2008
 
add a note add a note User Contributed Notes
Guillemets magiques
travismowens at gmail dot com
25-Jun-2008 07:25
With just a couple minor updates to Thomas' function, it can support both arrays and variables like so:

function RemoveMagicQuotes ($postArray, $trim = false)
{
    if (get_magic_quotes_gpc() == 1)
    {
        if ( is_array($postArray) )
        {
            $newArray = array();  
          
            foreach ($postArray as $key => $val)
            {
                if (is_array($val))
                {
                    $newArray[$key] = removeMagicQuotes ($val, $trim);
                }
                else
                {
                    if ($trim == true)
                    {
                        $val = trim($val);
                    }
                    $newArray[$key] = stripslashes($val);
                }
            }  
          
            return $newArray;
        }
        else
        {
            return stripcslashes($postArray);
        }
    }
    else
    {
        return $postArray;  
    }      
}
php at danielknell dot co dot uk
29-Oct-2007 02:03
most of the user contributed code related to stripping magic quotes posted could open vulnerabilities in your scripts as mentioned with a better sollution at:

http://talks.php.net/show/php-best-practices/26

it supprises me that this link has not been previously referenced.
Shaun
22-Oct-2007 11:49
In my tests with $_FILE, I found that file uploading didn't work when it was included in the function (Confirmed on Windows, not Apache.)

The problem caused is:  It removes the trailing / from what I have the tmp directory defined as.
So: When PHP tries to move a tmp file using move_uploaded_file, it's trying to move tmpxxxx.tmp

Whereas it should be trying to move: tmp/xxxx.tmp

In conclusion:
I found it easiest just to leave the $_FILES array alone.
$_FILES works differently than $_POST anyway.  It outputs an error if the file is invalid, so I'm not sure how someone could inject bad code into the field.

If anyone else can check this problem on a Linux/Unix server, that would be great.
webmaster at kevinjb dot com
12-Jul-2007 10:12
In response to jfrim at idirect dot com and the poster at 17-Jan-2007 09:37:

Here's the code I use:

<?php
if (get_magic_quotes_gpc()) {
    function stripslashes_array($array) {
        return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
    }

    $_COOKIE = stripslashes_array($_COOKIE);
    $_FILES = stripslashes_array($_FILES);
    $_GET = stripslashes_array($_GET);
    $_POST = stripslashes_array($_POST);
    $_REQUEST = stripslashes_array($_REQUEST);
}
?>

Magic_quotes_gpc does NOT effect $_SERVER or $_ENV, I tested this myself on Windows with Apache and PHP 5. Removing slashes from them when there were none added to begin with ruins the variables in them!

I'm not sure at the moment whether it affects $_FILES or not, still looking into that one.
26-Feb-2007 08:57
Or more simply:
<?php    
private function stripslashes_deep($value) {
        $value = is_array($value) ? array_map(array($this, "stripslashes_deep"), $value) : stripslashes($value);
        return $value;
    }
?>
17-Jan-2007 06:37
I think most of the people posting below are a little confused about how this works...

To the person who said use addslashes rather than stripslashes... Well, the prefered use of MAGIC_QUOTES_GPC is off, so if you are designing code in such a manner well, using addlashes is of course going to do the same thing as having it turned on. DUH!

Next on the agenda, is the guy who posted the code which the above anonymous person(s) made a comment about. Good, except design your code to not use the HTTP_GET_VARS etc at all, PHP3 is completely outdated... Turn off these options in your .INI/.htaccess/registry files (etc) as well! Additionally, I do not believe that MAGIC_QUOTES affects $_SERVER or $_ENV. I also don't think it affects $_FILES however these values ARE submitted from the user therefor may get escaped.

Heres some code directly from a CMS I'm working on.

# strips slashes to a multi dimensional array, by reference
   function stripslashes_arrays(&$array) {
      if ( is_array($array) ) {
         $keys = array_keys($array);
         foreach ( $keys as $key ) {
            if ( is_array($array[$key]) ) {
               stripslashes_arrays($array[$key]);
            }
            else {
               $array[$key] = stripslashes($array[$key]);
            }
         }
      }
   }
  
# --- Handle input var escapes
# magic_quotes_runtime could corrupt data,
# so make sure it's turned off...
   set_magic_quotes_runtime(0);
# All escapes are handled from code...
# So rather, strip slashes if magic quotes is enabled
   if( get_magic_quotes_gpc() ) {
      stripslashes_arrays($_GET);
      stripslashes_arrays($_POST);
      stripslashes_arrays($_COOKIE);
#      stripslashes_arrays($_FILES);
# verify $_FILES gets escapes by MAGIC_QUOTES first
   }
Thomas dot Hoggard at gmail dot com
10-Nov-2006 10:09
/****
*    Recursivly removes all magicQuotes with multi-dimensional array support
****/
function removeMagicQuotes ($postArray, $trim = false)
{
    if (get_magic_quotes_gpc() == 1)
    {
        $newArray = array();   
       
        foreach ($postArray as $key => $val)
        {
            if (is_array($val))
            {
                $newArray[$key] = removeMagicQuotes ($val, $trim);
            }
            else
            {
                if ($trim == true)
                {
                    $val = trim($val);
                }
                $newArray[$key] = stripslashes($val);
            }
        }   
       
        return $newArray;   
    }
    else
    {
        return $postArray;   
    }       
}
judas dot iscariote at gmail dot com
08-Mar-2006 08:33
Just for the record. this feature has been removed as of PHP6.
now PHP works always like if magic_quotes_gpc Off.

get_magic_quotes_gpc, get_magic_quotes_runtime are kept but always return false, set_magic_quotes_runtime raises an E_CORE_ERROR.

this is great news, magic_quotes were a big annoyance.
27-Feb-2006 12:11
Using the .htaccess file may not always be possible for instance if you are running php on a windows IIS server.

Also the code by jfrim at idirect dot com doesn't actually fix the problem as it is stripping slashes, what you need to do is addslashes to things coming in.

the code by jfrim at idirect dot com is the right idea though although rather than saying stripslashes, you simply need to say addslashes and it should work.
edward at example dot com
07-Feb-2006 01:55
All the code listed on this page is not necessary if you use the php_flag directive in a .htaccess file. This allows you to disable magic quotes completely, without the need to adjust your php.ini file or (re)process the user's input.

Just take a look at http://www.php.net/manual/en/security.magicquotes.php#55935

Gist of his note: in the .htaccess file, add a line

php_flag magic_quotes_gpc off

That's it. Thank you very much, richard dot spindler :) !
jfrim at idirect dot com
27-Jan-2006 07:31
Unfortunately magic_quotes_gpc can not be changed at run-time, but here's a code block which will effectively get rid of it when executed.  Use this for PHP scripts which must be portable or run on servers where magic_quotes_gpc could be configured either way.

Note that the PHP help is a little misleading...  Magic_quotes_gpc affects more than just the Get, Post, and Cookie data!

<?php
//Prevent Magic Quotes from affecting scripts, regardless of server settings

//Make sure when reading file data,
//PHP doesn't "magically" mangle backslashes!
set_magic_quotes_runtime(FALSE);

if (get_magic_quotes_gpc()) {
    /*
    All these global variables are slash-encoded by default,
    because    magic_quotes_gpc is set by default!
    (And magic_quotes_gpc affects more than just $_GET, $_POST, and $_COOKIE)
    */
    $_SERVER = stripslashes_array($_SERVER);
    $_GET = stripslashes_array($_GET);
    $_POST = stripslashes_array($_POST);
    $_COOKIE = stripslashes_array($_COOKIE);
    $_FILES = stripslashes_array($_FILES);
    $_ENV = stripslashes_array($_ENV);
    $_REQUEST = stripslashes_array($_REQUEST);
    $HTTP_SERVER_VARS = stripslashes_array($HTTP_SERVER_VARS);
    $HTTP_GET_VARS = stripslashes_array($HTTP_GET_VARS);
    $HTTP_POST_VARS = stripslashes_array($HTTP_POST_VARS);
    $HTTP_COOKIE_VARS = stripslashes_array($HTTP_COOKIE_VARS);
    $HTTP_POST_FILES = stripslashes_array($HTTP_POST_FILES);
    $HTTP_ENV_VARS = stripslashes_array($HTTP_ENV_VARS);
    if (isset($_SESSION)) {    #These are unconfirmed (?)
        $_SESSION = stripslashes_array($_SESSION, '');
        $HTTP_SESSION_VARS = stripslashes_array($HTTP_SESSION_VARS, '');
    }
    /*
    The $GLOBALS array is also slash-encoded, but when all the above are
    changed, $GLOBALS is updated to reflect those changes.  (Therefore
    $GLOBALS should never be modified directly).  $GLOBALS also contains
    infinite recursion, so it's dangerous...
    */
}

function stripslashes_array($data) {
    if (is_array($data)){
        foreach ($data as $key => $value){
            $data[$key] = stripslashes_array($value);
        }
        return $data;
    }else{
        return stripslashes($data);
    }
}
?>
07-Dec-2005 03:09
You should try to avoid magic_quotes in all its flavors, use add_slashes() and strip_slashes() instead with user input and you will save time and avoid common problems that come along.

You should know also that if your server has php suexec enabled you won't be able use php_flag in .htaccess file to change php values like magic_quotes or register_globals. In this case you might wanna try creating a php.ini file on the same directory as your script and add something like this:

magic_quotes_runtime=off
magic_quotes_gpc=off
magic_quotes_sybase=off
register_globals=on ; only as an example

----
Mel
http://www.webhostingjournal.net/
richard dot spindler at gmail dot com
18-Aug-2005 10:59
to turn of magic quotes put the following line into the .htaccess file:

php_flag magic_quotes_gpc off
17-Jul-2005 04:44
Bright minds will have noticed, that one uses stripslashes() once on the input and saves that content for further processing. Then use addslashes() once before sending the content to the database or flat file.

Hint: if the application is using a MySql database, don't use addslashes() but mysql_real_escape_string().
nitrous at fuckoff dot com
26-Jan-2005 08:01
This "feature" is the cause of so many escaping problems.  It's very important to understand the implications of what magic quotes really do.

Nearly every call, except those being written directly to the database, using user submitted data will require a call to strip_slashes.  It gets very ugly very fast.

What should be done is proper escaping of shell parameters and database parameters. PHP provides several escaping functions intended for this purpose. Slashes alone don't cut it anyway.
add a note add a note

Pourquoi utiliser les guillemets magiques?> <Données transmises par les internautes
Last updated: Fri, 20 Jun 2008
 
 
show source | credits | sitemap | contact | advertising | mirror sites