By looking at the name of this directive one may think that magic_quotes are only applied to $_GET, $_POST and $_COOKIE superglobals but there is one perturbing comment on the PHP Manual:
Please note, that when
magic_quotes_gpcis set not only$_POST,$_GET,$_REQUEST,$_COOKIEarrays values are slashed. Actually every string value in$GLOBALSarray is slashed, ie.$GLOBALS['_SERVER']['PATH_INFO'](or$_SERVER['PATH_INFO']).
Can anyone confirm that this is true? Are the superglobals $GLOBALS, $_SERVER, $_FILES, $_SESSION and $_ENV affected as well?
One more question, if I iterate stripslashes() over the $_GET, $_POST and $_COOKIE arrays do I also need to iterate through the $_REQUEST array? Or are the changes automatically reflected?
I've run some tests on LightTPD 1.4.20 and PHP 5.3.0 with magic_quotes_gpc = On and $_SERVER wasn't altered (at least [SERVER_NAME] => local'host didn't). $_SESSION also isn't affected by magic_quotes.
$_GET, $_POST, $_COOKIE and $_REQUEST were affected (and their $GLOBALS counterparts).
Also, the changes in the GPC superglobals aren't automatically reflected in $_REQUEST.
As for the $_FILES and $_ENV superglobals I'm not able to test them ATM.
I've finally ran this test and, to my surprise, both $_FILES and php://input are affected.