I have a default site template I use for my site like below:
<!-- Meta start -->
<title></title>
<meta name="description" content="" />
<meta name="keywords" content="" />
<!-- Meta end -->
<?php
require_once($sidebar_inc);
?>
<?php
// main.inc.php
require_once($main_inc);
?>
<!-- CONTENT START -->
<?php
// signup.tpl template location
$tpl = 'inc/tpl/signup.tpl';
// check if files exists and is readable
if(file_exists($tpl) && is_readable($tpl)) {
echo file_get_contents($tpl);
} else {
echo 'Template not found';
}
?>
<!-- CONTENT FINISH -->
<?php
// footer.inc.php
require_once($footer_inc);
?>
Now my problem is when the signup.tpl
is included via file_get_contents
if magic quotes is on it adds "\
to all the form data.
Here is the signup.tpl
template
<h1>Sign up</h1>
<p>Welcome to SITE_NAME. To get started, you’ll need an account.</p>
<form action="signup.php" method="post">
<div class="form_settings">
<p><span>Name</span><input class="contact" type="text" name="your_name" value="" /></p>
<p><span>Email Address</span><input class="contact" type="text" name="your_email" value="" /></p>
<p><span>Message</span><textarea class="contact textarea" rows="8" cols="50" name="your_enquiry"></textarea></p>
<p style="padding-top: 15px"><span> </span><input class="submit" type="submit" name="contact_submitted" value="submit" /></p>
</div>
</form>
Basically with magic quotes on it looks like this when the signup.tpl
is included.
But with magic quotes off it does not add slashes so it looks as it should:
Now I know you should not have magic quotes on but I have a function to strip slashes if magic quotes is on from all $_GET, $_POST, $_COOKIE, $_SESSION
so my scripts will work even if magic quotes is on. The problem is I don't know how to solve my problem that if magic quotes is on that it won't add slashes to the signup.tpl
. I just want to make sure my script(s) will work if i for example moved it to a server which had magic quotes on.
What do I need to do to stop magic quotes adding slashes to the signup.tpl? I know I could just turn magic quotes off but like I said in case I changed server which had magic quotes on and did not allow to turn off magic quotes.
(Ignore the form, it is not a signup form just used as sample to show problem).
There are two magic quotes settings. From the manual:
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
Magic-quotes-runtiume is not the same thing as magic GPC quoting - magic-quotes-runtime happens to all input at runtime, not just the GET/POST/COOKIE globals. You need to disable this setting at the start of your script:
set_magic_quotes_runtime(false); # pre 5.3
ini_set('magic_quotes_runtime', 0); # 5.3 onwards