Disabling Magic Quotes and Register Globals

software development

#1

The question is simple, I want to disable the ‘magic quotes’ and ‘register globals’ options in my PHP configuration.
Before I was unaware of these configuration settings, which could cause security issues, but the latest version of my blog software (pivot) has a built-in check for it now.

So far I’ve tried the following ‘solution’: http://blog.dreamhosters.com/kbase/index.cgi?area=3070
This is how my .htaccess file currently looks like:

[quote]php_flag short_open_tag off
php_value register_globals 0
php_flag register_globals off
php_value magic_quotes 0
php_flag magic_quotes off
php_value magic_quotes_gpc 0
php_flag magic_quotes_gpc off[/quote]
No effect however. The “Run PHP as CGI” setting which is talked about is nowhere to be found (anymore?) by the way?!
My current settings:

[quote]PHP Version: 4.4.2
[X] - Extra Web Security
[ ] - FactCGI Support[/quote]

Is there another way without compiling my own PHP or switching to PHP5?

(My phpinfo.php: http://www.bramn.com/phpinfo.php)


#2

Put these lines at the top of whatever your site/app runs first. This will often be index.php but not necessarily, so double check.

ini_set('register_globals', 'off'); ini_set('magic_quotes_gpc', 'off'); ini_set('magic_quotes_runtime', 'off');

If you want useful replies, ask smart questions.


#3

Unfortunately, those aren’t going to work. register_globals and magic_quotes_gpc can only be set in .htaccess, httpd.conf or in the INI file: http://us3.php.net/manual/en/ini.php#ini.list

Your best bet is just to compile your own PHP. Trust me, it’s not as bad as you think. As a matter of fact you can even install the latest version.


yerba# rm -rf /etc
yerba#


#4

Well, I’ll be damned. I’m so used to using those in httpd.conf or .htaccess that it never even occured to me to check whether they can be set via ini_set(). I had honestly never had to use ini_set() for PHP config before coming here.

On the bright side, I’ve got most everything switched to PHP5-CGI now, which has somewhat more reasonable defaults.


If you want useful replies, ask smart questions.


#5

Changing in .htaccess would work fine for me.
But I’ve never used that file for anything but:

  • ErrorDocument 404 /customerror.php -

It’d be pretty handy to be able to issue a PHP command such as:

  • ini_set(‘magic_quotes_runtime’, ‘on’); -
    But it can’t just be pasted as a line in .htaccess file (gives error).

Can anyone tell me how an ini_set can be formatted in .htaccess to register as proper php command?
TIA !