I have an Ubuntu 10.04 server, running PHP 5.3.2 and I have these lines set in my php.ini file:
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
There are NO other php.ini files (I searched the whole hard drive), I checked ALL apache2 configuration files (including ALL .htaccess files on the entire hard drive), and they are not referenced anywhere else.
However:
<?php
ini_set('display_errors', 1);
error_reporting(E_ALL);
var_dump(get_magic_quotes_gpc());
?>
Produces this output: int(1) That is, the magic quotes are on, which is easily verifiable by adding any type of request with quotes, and they will be quoted out. I have fixed this by adding the following to my root .htaccess file:
php_flag magic_quotes_gpc Off
The aforementioned code now produces the desired result: int(0), and no output is quoted.
So the question: why, oh dear God why, were the magic quotes on in the first place?! Yes, I know this question is similar to others that have been asked. I'm not looking for a "quick fix", and yes, I know magic quotes will be removed in php 5.4. But the truth is, I will need to maintain backwards compatibility for a few years after 5.4 comes out (different clients, etc), and so I'm trying to figure out why magic quotes were on. I know I can fix this by adding a line to my root .htaccess file (as I've shown), but I would much rather have a greater understanding of how my php.ini setting was overridden in the first place.
So does anyone have any ideas on how it could have been turned on?
I finally figured it out; update apache2 and php5:
apt-get update
apt-get install apache2 php5
This is a bug with certain versions in apache2 and/or php5. The version in Debian's apt universe has been updated, so just updating will fix the problem.