当前位置: 文江博客话题详情

如何关闭共享主机上的魔术引号?

发布于 2024-07-13 15:21:23 字数 317 浏览 10 评论 0原文

我想关闭 PHP 的魔术引号。 我无权访问 php.ini。

当我尝试将 php_flag magic_quotes_gpc off 添加到我的 .htaccess 文件时,出现 500 内部服务器错误。 这就是我的 .htaccess 文件的样子:

AddType x-mapp-php5 .php
php_flag magic_quotes_gpc off

然后我尝试使用 ini_set('magic_quotes_gpc', 'O'),但这没有效果。

如何关闭魔术引号?

原文

I want to turn off PHP's magic quotes. I don't have access to php.ini.

When I tried to add php_flag magic_quotes_gpc off to my .htaccess file, I get a 500 internal server error. This is what my .htaccess file looks like:

AddType x-mapp-php5 .php
php_flag magic_quotes_gpc off

Then I tried to use ini_set('magic_quotes_gpc', 'O'), but that had no effect.

How do I turn magic quotes off?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(13

A君 2024-07-20 15:21:23

根据手册,您通常可以在共享上安装自定义 php.ini托管,其中未使用 mod_php,因此 php_value 指令会导致错误。 对于 suexec/FastCGI 设置,在任何情况下,每个网站空间都有一个 php.ini 是很常见的。

--

我不认为 O(大写字母 o)是设置 ini 标志的有效值。 您需要使用 true/false、1/0 或“on”/“off”值。

ini_set( 'magic_quotes_gpc', 0 );   // doesn't work

编辑

检查ini设置列表后,我看到magic_quotes_gpc 是一个 PHP_INI_PERDIR 设置(4.2.3 之后),这意味着您无法使用 ini_set() 更改它(只有 PHP_INI_ALL 设置可以使用 ini_set() 进行更改)

这意味着您必须使用 .htaccess 文件来执行此操作 - 或者 - 实现一个脚本来反转魔术引号的效果。 像这样的东西

if ( in_array( strtolower( ini_get( 'magic_quotes_gpc' ) ), array( '1', 'on' ) ) )
{
    $_POST = array_map( 'stripslashes', $_POST );
    $_GET = array_map( 'stripslashes', $_GET );
    $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}

As per the manual you can often install a custom php.ini on shared hosting, where mod_php isn't used and the php_value directive thus leads to an error. For suexec/FastCGI setups it is quite common to have a per-webspace php.ini in any case.

--

I don't think O (uppercase letter o) is a valid value to set an ini flag. You need to use a true/false, 1/0, or "on"/"off" value.

ini_set( 'magic_quotes_gpc', 0 );   // doesn't work

EDIT

After checking the list of ini settings, I see that magic_quotes_gpc is a PHP_INI_PERDIR setting (after 4.2.3), which means you can't change it with ini_set() (only PHP_INI_ALL settings can be changed with ini_set())

What this means is you have to use an .htaccess file to do this - OR - implement a script to reverse the effects of magic quotes. Something like this

if ( in_array( strtolower( ini_get( 'magic_quotes_gpc' ) ), array( '1', 'on' ) ) )
{
    $_POST = array_map( 'stripslashes', $_POST );
    $_GET = array_map( 'stripslashes', $_GET );
    $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}
回复 原文
与君绝 2024-07-20 15:21:23

虽然我无法说出为什么 php_flag 会给出 500 Internal Server Error,但我会指出 PHP 手册 有一个示例,用于检测魔术引号是否打开并在运行时将其从超全局中剥离。 与发布的其他代码不同,这个代码是递归的,并且会正确地从数组中删除引号:

更新:我今天注意到 PHP 手册上有以下代码的新版本,它使用对超级全局变量的引用。

旧版本:

<?php
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }

    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
?>

新版本:

<?php
if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}
?>

While I can't say why php_flag is giving you 500 Internal Server Errors, I will point out that the PHP manual has an example of detecting if magic quotes is on and stripping it from the superglobals at runtime. Unlike the others posted, this one is recursive and will correctly strip quotes from arrays:

Update: I noticed today that there's a new version of the following code on the PHP manual that uses references to the super-globals instead.

Old version:

<?php
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }

    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
?>

New version:

<?php
if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}
?>
回复 原文
白衬杉格子梦 2024-07-20 15:21:23

这将解决创建本地 php.ini 文件时出现“Class 'PDO' not found”的问题。

如果您无法使用 htaccess 文件关闭魔术引号(由于 Pete Bailey 已经给出的原因),只需:

  1. 创建一个文本文件
  2. 将其重命名为“php.ini”
  3. 添加行
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
extension=pdo.so
extension=pdo_mysql.so
  1. 将其保存到脚本所在的目录正在执行。

更新:如果您只想拥有新 php.ini 文件的一份副本,请将此行添加到您的根 .htaccess 文件中:

SetEnv PHPRC /path/to/site/root/public_html/php.ini

显然,您需要将 ini 文件移动到该位置,因为它尚不存在。

希望这可以节省我刚刚花费的 2 个小时!

This will solve the problem of getting "Class 'PDO' not found" when you create a local php.ini file.

If you can't turn off magic quotes using the htaccess file (for reasons already given by Pete Bailey) just:

  1. Create a text file
  2. Rename it to 'php.ini'
  3. Add the lines
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
extension=pdo.so
extension=pdo_mysql.so
  1. Save it to the directory/ies in which your scripts are executing.

Update: if you want to have just one copy of the new php.ini file then add this line to your root .htaccess file:

SetEnv PHPRC /path/to/site/root/public_html/php.ini

Obviously you need to move the ini file to this location of it's not there already.

Hope that saves someone the 2 hours it's just taken me!

回复 原文
青萝楚歌 2024-07-20 15:21:23

.htaccess 文件中的 php_flag 和 php_value 在技术上是正确的 - 但仅适用于作为 Apache 模块安装的 PHP。 在共享主机上,您几乎永远找不到这样的设置; PHP 作为 CGI 运行,原因与安全相关(使您的服务器邻居远离您的文件)以及 phpsuexec 作为“您”而不是 apache 用户运行脚本的方式。

因此,Apache 是正确的,会给你一个服务器错误:除非加载 PHP 模块,否则它不知道 php_flag 的含义。 CGI 二进制文件对于 Apache 来说是一个外部程序,您无法从 Apache 内部配置它。

现在好消息是:您可以设置每个目录的配置,在其中放置一个名为“php.ini”的文件,并使用与系统主 php.ini 中相同的语法在其中设置指令。 PHP 手册列出了所有可设置的指令:您可以设置那些标有 PHP_INI_PERDIR 的指令或 PHP_INI_ALL,而只有系统管理员可以在服务器范围的 php.ini 中设置那些标记为 PHP_INI_SYSTEM 的内容。

请注意,此类 php.ini 指令不会由子目录继承,您必须为它们提供自己的 php.ini。

The php_flag and php_value inside a .htaccess file are technically correct - but for PHP installed as an Apache module only. On a shared host you'll almost never find such a setup; PHP is run as a CGI instead, for reasons related to security (keeping your server neighbours out of your files) and the way phpsuexec runs scripts as 'you' instead of the apache user.

Apache is thus correct giving you a server error: it doesn't know about the meaning of php_flag unless the PHP module is loaded. A CGI binary is to Apache an external program instead, and you can't configure it from within Apache.

Now for the good news: you can set up per-directory configuration putting there a file named 'php.ini' and setting there your instructions using the same syntax as in the system's main php.ini. The PHP manual lists all settable directives: you can set those marked with PHP_INI_PERDIR or PHP_INI_ALL, while only the system administrator can set those marked PHP_INI_SYSTEM in the server-wide php.ini.

Note that such php.ini directives are not inherited by subdirectories, you'll have to give them their own php.ini.

回复 原文
绅士风度i 2024-07-20 15:21:23

=======================
=============== 我的解决方案==============================
(将您的 php.ini 重命名为 php5.ini)

并在顶部 (!) 添加这些:

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
extension=pdo.so
extension=pdo_mysql.so

然后在 .htaccess 中添加以下内容(在顶部):

SetEnv PHPRC /home/your_path/to/public_html/php5.ini

ps change /home/your_path/to/ 正确(您可以通过从典型的 .php 文件执行 命令来查看该路径。)

========================
=============== MY SOLUTION ============================
(rename your php.ini to php5.ini)

and in the top (!), add these:

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
extension=pdo.so
extension=pdo_mysql.so

then in .htaccess, add this (in the top):

SetEnv PHPRC /home/your_path/to/public_html/php5.ini

p.s. change /home/your_path/to/ correctly (you can see that path by executing the <?php phpinfo(); ?> command from a typical .php file.)

回复 原文
掀纱窥君容 2024-07-20 15:21:23

如果您运行的是 PHP 5.3+,这可以解决问题,请将其放在页面的最顶部:

if (get_magic_quotes_gpc() === 1)
{
    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
}

处理键、值和多维数组。

If you're running PHP 5.3+ this will do the trick, place it at the topmost of your page:

if (get_magic_quotes_gpc() === 1)
{
    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
}

Handles keys, values and multi-dimensional arrays.

回复 原文
木森分化 2024-07-20 15:21:23

如果您的托管提供商使用 cpanel,
您可以尝试将 php.ini 复制到您的 web 目录中
并用 magic_quotes_gpc = off 编辑它

if your hosting provider using cpanel,
you can try copying php.ini into your web directory
and edit it with magic_quotes_gpc = off

回复 原文
oО清风挽发oО 2024-07-20 15:21:23

我知道我回答这个问题已经晚了,但我读了大部分答案,虽然很多答案都很棒,但只有 djn 实际上解释了为什么您会收到此500内部服务器错误

虽然他的解释 100% 正确,但这是一个完美的例子,说明了为什么您应该始终将它们包装在 中。 虽然这无法解决无法在 .htaccess 中设置这些标志的实际问题,但它至少可以防止 500 错误

<IfModule mod_php5.c>
    # put all of your php_flags here, for example:
    php_flag magic_quotes_gpc off
</IfModule>

或者对于旧版本,它将是 等。

我尝试养成总是这样做的习惯,以避免任何此类 500 错误。 之后,只需应用Peter Bailey所说的即可。

I know I'm late to answer this, but I read most of the answers and while many were great, only djn actually explained why you were getting this 500 Internal Server Error.

While his explanation was 100% correct, this is a perfect example of why you should always wrap those in an <IfModule>. While this won't fix the actual problem of not being able to set those flags in your .htaccess, it will at least prevent the 500 error.

<IfModule mod_php5.c>
    # put all of your php_flags here, for example:
    php_flag magic_quotes_gpc off
</IfModule>

Or for older versions it would be <IfModule mod_php.c> etc.

I try to make a habit out of always doing this so as to avoid any such 500 errors. After that, just apply what Peter Bailey said.

回复 原文
韵柒 2024-07-20 15:21:23

不同的托管提供商有不同的程序来执行此操作,因此我会在他们的论坛上询问或提交支持请求。

如果你无法关闭它们,你总是可以使用这样的东西,无论魔术引号是打开还是关闭,它都会转义输入:

//using mysqli

public function escapeString($stringToBeEscaped) {

    return $this->getConnection()->real_escape_string(stripslashes($stringToBeEscaped));
}

Different hosting providers have different procedures for doing this, so I would ask on their forums or file a support request.

If you can't turn them off, you could always using something like this which will escape input regardless of whether magic quotes are on or off:

//using mysqli

public function escapeString($stringToBeEscaped) {

    return $this->getConnection()->real_escape_string(stripslashes($stringToBeEscaped));
}
回复 原文
夜灵血窟げ 2024-07-20 15:21:23

  1. 如果删除 AddType 行,它会起作用吗? 我不太确定为什么这与关闭魔术引号有关。

  2. 如果 PHP 没有在 mod_php 下运行,htaccess 将无法工作。 它可以作为 CGI 工作吗?

这确实适合您的托管公司。

  1. Does it work if you remove the AddType line? I'm not quite sure why that's relevant to turning magic quotes off.

  2. If PHP isn't running under mod_php, htaccess won't work. Does it work as a CGI?

This is one for your hosting company really.

回复 原文
云柯 2024-07-20 15:21:23

BaileyP的答案已经相当不错了,但我会用这个条件来代替:

if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc() === 1){
  $_POST = array_map( 'stripslashes', $_POST );
  $_GET = array_map( 'stripslashes', $_GET );
  $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}

它更具防御性。

BaileyP's answer is already pretty good, but I would use this condition instead:

if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc() === 1){
  $_POST = array_map( 'stripslashes', $_POST );
  $_GET = array_map( 'stripslashes', $_GET );
  $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}

It is more defensive.

回复 原文
反目相谮 2024-07-20 15:21:23

$_SERVER 怎么样?

if (get_magic_quotes_gpc() === 1) {

    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true); 
    $_SERVER = json_decode( stripslashes(json_encode($_SERVER,JSON_HEX_APOS)), true); 
}

How about $_SERVER ?

if (get_magic_quotes_gpc() === 1) {

    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true); 
    $_SERVER = json_decode( stripslashes(json_encode($_SERVER,JSON_HEX_APOS)), true); 
}
回复 原文
在风中等你 2024-07-20 15:21:23

如果您无法将其关闭,我通常会这样做:

get_magic_quotes_gpc() ? $_POST['username'] : mysql_real_escape_string($_POST['username']);

它将以其正确的格式放置在数据库中。

If you can't turn it off, here is what I usually do:

get_magic_quotes_gpc() ? $_POST['username'] : mysql_real_escape_string($_POST['username']);

It will be placed in the database in its proper format.

回复 原文
~没有更多了~

关于作者

奶气

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文