phpmagic-quotes

PHP Magic Quotes adding slashes to template file?


I have a default site template I use for my site like below:

<!-- Meta start -->
<title></title>
<meta name="description" content="" />
<meta name="keywords" content="" />
<!-- Meta end -->

<?php
    require_once($sidebar_inc);
?>

<?php
    // main.inc.php
    require_once($main_inc);
?>

<!-- CONTENT START -->
<?php
    // signup.tpl template location
    $tpl = 'inc/tpl/signup.tpl';
    // check if files exists and is readable
    if(file_exists($tpl) && is_readable($tpl)) {
        echo file_get_contents($tpl);
    } else {
        echo 'Template not found';
    }
?>

<!-- CONTENT FINISH -->

<?php
    // footer.inc.php
    require_once($footer_inc);
?>

Now my problem is when the signup.tpl is included via file_get_contents if magic quotes is on it adds "\ to all the form data.

Here is the signup.tpl template

<h1>Sign up</h1>

<p>Welcome to SITE_NAME. To get started, you’ll need an account.</p>

<form action="signup.php" method="post">
    <div class="form_settings">
        <p><span>Name</span><input class="contact" type="text" name="your_name" value="" /></p>
        <p><span>Email Address</span><input class="contact" type="text" name="your_email" value="" /></p>
        <p><span>Message</span><textarea class="contact textarea" rows="8" cols="50" name="your_enquiry"></textarea></p>
        <p style="padding-top: 15px"><span>&nbsp;</span><input class="submit" type="submit" name="contact_submitted" value="submit" /></p>
    </div>
</form>

Basically with magic quotes on it looks like this when the signup.tpl is included.

enter image description here

But with magic quotes off it does not add slashes so it looks as it should:

enter image description here

Now I know you should not have magic quotes on but I have a function to strip slashes if magic quotes is on from all $_GET, $_POST, $_COOKIE, $_SESSION so my scripts will work even if magic quotes is on. The problem is I don't know how to solve my problem that if magic quotes is on that it won't add slashes to the signup.tpl. I just want to make sure my script(s) will work if i for example moved it to a server which had magic quotes on.

What do I need to do to stop magic quotes adding slashes to the signup.tpl? I know I could just turn magic quotes off but like I said in case I changed server which had magic quotes on and did not allow to turn off magic quotes.

(Ignore the form, it is not a signup form just used as sample to show problem).


Solution

  • There are two magic quotes settings. From the manual:

    ; Magic quotes for incoming GET/POST/Cookie data.
    magic_quotes_gpc = Off
    
    ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
    magic_quotes_runtime = Off
    

    Magic-quotes-runtiume is not the same thing as magic GPC quoting - magic-quotes-runtime happens to all input at runtime, not just the GET/POST/COOKIE globals. You need to disable this setting at the start of your script:

    set_magic_quotes_runtime(false); # pre 5.3
    ini_set('magic_quotes_runtime', 0); # 5.3 onwards