Magic Quotes and json_decode on Your Post Variables CodeUnit 15 APR 2010

Annoyingly, my PHP json_decode function was not working on my ajax pushed data, using the Javascript function json.stringify to post the data to the script in the first place.

However, even more annoying than this was that the code worked perfectly fine on the live server but not a damn did it want to run on my local machine!

So I scratched around using good old FireBug and after a little investigation and a whole lot of printing out of values, I noticed that the result of my stringified JSON data held in the POST variable was in fact looking different across the live and localhost server.

How so?

Well for a start there were delimited quotation marks appearing on the local machine instead of the plain old quotation marks showing up on the live server.

Now by delimited I mean the quotes were all being prefixed by slashes, meaning that a simple stripslashes on the JSON data would work perfectly well and solve my problem – but of course as we all can think for ourselves, that isn’t exactly the root of the problem now is it?

So what is adding in all these unwanted slashes then?

Well the answer of course is PHP’s magic_quotes_gpc ini setting. For those of you who don’t know, essentially this setting came in existence to help programmers who routinely forgot to delimit their strings when inputting them into databases, and also as a sort of automatic defense mechanism against simple SQL injection attacks. By turning magic quotes on, the server automatically delimits all incoming quotes held in the HTTP Request data (i.e. GET, POST, COOKIES) if they aren’t already delimited, meaning that in essence, it is possible for lazy programmers to get away with murder.

Of course, this has since been viewed as a bad idea and is deprecated from PHP 5.3.0.

Anyway, for some or other very strange reason, XAMPP has seen it fit to leave magic_quotes_gpc on in its default installation package and this was what was causing all the hassles on my local development environment.

Thankfully turning it off is as simple as walking to the php.ini file and changing the line magic_quotes_gpc = On to magic_quotes_gpc = Off.

However, if say the situation was reversed and the problem was sitting on a server whose ini file you can’t manipulate (and remember, magic quotes can’t be manipulated at runtime in the usual set ini fashion), here is a solution for you that actually works rather well:

function stripslashes_deep($value)
{
  $value = is_array($value) ? array_map("stripslashes_deep", $value) : stripslashes($value);
	return $value;
}

if (get_magic_quotes_gpc())
{
  $_POST = array_map("stripslashes_deep", $_POST);
  $_GET = array_map("stripslashes_deep", $_GET);
  $_COOKIE = array_map("stripslashes_deep", $_COOKIE);
  $_REQUEST = array_map("stripslashes_deep", $_REQUEST);
}

As you can see above, we first check to see if magic quotes are indeed turned on. If yes, run a recursive stripslashes function against each HTTP request data variable we can think of and presto, problem solved!

My PHP json_decode was now handling my javascript json.stringify JSON data perfectly! :)

About Craig Lotter

Software developer, husband and dad to two little girls. Writer behind An Exploring South African. I don't have time for myself any more.

  • The php magic quotes gpc setting is off and the Joomla preinstallation wants it turned on for security reasons, how do you turn it on, please be as specific as possible, because i am a newbie. Thank you

    • Gurunathan Sivararaman

      $notes = json_decode($data);
      $handle = fopen(’patients/in_file.txt’, ‘r’);

      $notes1 = json_decode(fgets($handle));

      fclose($handle);

      both fgets($handle) and $data has the same value

      [{“ID”:1,”LEFT”:”70.87087087087087″,”TOP”:”22.8″,”WIDTH”:”4.804804804804805″,”HEIGHT”:”3.2″,”DATE”:{“Y”:”2011″,”M”:”01″,”D”:”23″,”H”:”22″,”I”:”42″},”NOTE”:”dsfs”,”AUTHOR”:””,”LINK”:””,”COLOR”:”orange”}]

      but $notes return NULL, where $notes1 returns Array ( [0] => stdClass Object ( [ID] => 1 [LEFT] => 70.87087087087087 [TOP] => 22.8 [WIDTH] => 4.804804804804805 [HEIGHT] => 3.2 [DATE] => stdClass Object ( [Y] => 2011 [M] => 01 [D] => 23 [H] => 22 [I] => 42 ) [NOTE] => dsfs [AUTHOR] => [LINK] => [COLOR] => orange ) ).

      Please do help..

  • this was that the code worked perfectly fine on the live server but not a damn did it want to run on my local machine!

  • Hey nice post shared by you and i like it much and i will use it in my future.

  • all being prefixed by slashes, meaning that a simple stripslashes on the JSON data would work perfectly well and solve my problem – but of course as we all can think for ourselves, that isn’t exactly the root of the problem now is it?

  • Why I am worried is my website is providing web designing services. So, if I put add that look and feel is going to decrease a bit…

  • the Joomla preinstallation wants it turned on for security reasons, how do you turn it on, please be as specific as possible, because i am a newbie. Thank you

  • Hey is this possible.

  • course as we all can think for ourselves, that isn’t exactly the root of the problem now is it?

  • The quotes were all being prefixed by slashes, meaning that a simple stripslashes on the JSON data would work perfectly well and solve my problem – but of course as we all can think for ourselves.

  • Roberto

    thank. you.

  • I use Firebug to see what json is creating and it seems to be doing it’s job and outputs the same string as on my local server.

  • I like to see magical games very much because these are very interesting games.

  • I LOVE YOU. Really, thanks. It was driving me mad because on my testing server all was fine. Fuck magic quotes.