Disabling Magic Quotes and Register Globals

Disabling Magic Quotes and Register Globals

Posted by: bramn
Posted on: 2006-07-23 15:14:00

The question is simple, I want to disable the 'magic quotes' and 'register globals' options in my PHP configuration.
Before I was unaware of these configuration settings, which could cause security issues, but the latest version of my blog software (pivot) has a built-in check for it now.

So far I've tried the following 'solution': http://blog.dreamhosters.com/kbase/index.cgi?area=3070
This is how my .htaccess file currently looks like:

In reply to:

php_flag short_open_tag off
php_value register_globals 0
php_flag register_globals off
php_value magic_quotes 0
php_flag magic_quotes off
php_value magic_quotes_gpc 0
php_flag magic_quotes_gpc off

No effect however. The "Run PHP as CGI" setting which is talked about is nowhere to be found (anymore?) by the way?!
My current settings:

In reply to:

PHP Version: 4.4.2
[X] - Extra Web Security
[ ] - FactCGI Support


Is there another way without compiling my own PHP or switching to PHP5?

(My phpinfo.php: http://www.bramn.com/phpinfo.php)

Edited by bramn on 07/23/06 03:26 PM (server time).

Re: Disabling Magic Quotes and Register Globals

Posted by: kchrist
Posted on: 2006-07-23 18:42:00

Put these lines at the top of whatever your site/app runs first. This will often be index.php but not necessarily, so double check.

ini_set('register_globals', 'off');
ini_set('magic_quotes_gpc', 'off');
ini_set('magic_quotes_runtime', 'off');

Re: Disabling Magic Quotes and Register Globals

Posted by: guice
Posted on: 2006-07-24 06:16:00

Unfortunately, those aren't going to work. register_globals and magic_quotes_gpc can only be set in .htaccess, httpd.conf or in the INI file: http://us3.php.net/manual/en/ini.php#ini.list

Your best bet is just to compile your own PHP. Trust me, it's not as bad as you think. As a matter of fact you can even install the latest version.

Re: Disabling Magic Quotes and Register Globals

Posted by: kchrist
Posted on: 2006-07-24 10:04:00

Well, I'll be damned. I'm so used to using those in httpd.conf or .htaccess that it never even occured to me to check whether they can be set via ini_set(). I had honestly never had to use ini_set() for PHP config before coming here.

On the bright side, I've got most everything switched to PHP5-CGI now, which has somewhat more reasonable defaults.

Re: Disabling Magic Quotes / via htaccess

Posted by: love calm quiet
Posted on: 2006-12-12 08:48:00

Changing in .htaccess would work fine for me.
But I've never used that file for anything but:
- ErrorDocument 404 /customerror.php -

It'd be pretty handy to be able to issue a PHP command such as:
- ini_set('magic_quotes_runtime', 'on'); -
But it can't just be pasted as a line in .htaccess file (gives error).

Can anyone tell me how an ini_set can be formatted in .htaccess to register as proper php command?
TIA !

Tags: php versionphpinfoquoteshtaccess fileflag registerglobalshttpgpccgi areablogconfiguration settingsphp5