Disabling Magic Quotes and Register Globals

software development


The question is simple, I want to disable the ‘magic quotes’ and ‘register globals’ options in my PHP configuration.
Before I was unaware of these configuration settings, which could cause security issues, but the latest version of my blog software (pivot) has a built-in check for it now.

So far I’ve tried the following ‘solution’: http://blog.dreamhosters.com/kbase/index.cgi?area=3070
This is how my .htaccess file currently looks like:

[quote]php_flag short_open_tag off
php_value register_globals 0
php_flag register_globals off
php_value magic_quotes 0
php_flag magic_quotes off
php_value magic_quotes_gpc 0
php_flag magic_quotes_gpc off[/quote]
No effect however. The “Run PHP as CGI” setting which is talked about is nowhere to be found (anymore?) by the way?!
My current settings:

[quote]PHP Version: 4.4.2
[X] - Extra Web Security
[ ] - FactCGI Support[/quote]

Is there another way without compiling my own PHP or switching to PHP5?

(My phpinfo.php: http://www.bramn.com/phpinfo.php)


Put these lines at the top of whatever your site/app runs first. This will often be index.php but not necessarily, so double check.

ini_set('register_globals', 'off'); ini_set('magic_quotes_gpc', 'off'); ini_set('magic_quotes_runtime', 'off');

If you want useful replies, ask smart questions.


Unfortunately, those aren’t going to work. register_globals and magic_quotes_gpc can only be set in .htaccess, httpd.conf or in the INI file: http://us3.php.net/manual/en/ini.php#ini.list

Your best bet is just to compile your own PHP. Trust me, it’s not as bad as you think. As a matter of fact you can even install the latest version.

yerba# rm -rf /etc


Well, I’ll be damned. I’m so used to using those in httpd.conf or .htaccess that it never even occured to me to check whether they can be set via ini_set(). I had honestly never had to use ini_set() for PHP config before coming here.

On the bright side, I’ve got most everything switched to PHP5-CGI now, which has somewhat more reasonable defaults.

If you want useful replies, ask smart questions.


Changing in .htaccess would work fine for me.
But I’ve never used that file for anything but:

  • ErrorDocument 404 /customerror.php -

It’d be pretty handy to be able to issue a PHP command such as:

  • ini_set(‘magic_quotes_runtime’, ‘on’); -
    But it can’t just be pasted as a line in .htaccess file (gives error).

Can anyone tell me how an ini_set can be formatted in .htaccess to register as proper php command?