where should I turn off magic quotes?

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
drb06
Joomla! Intern
Joomla! Intern
Posts: 83
Joined: Thu Apr 27, 2006 2:54 am

where should I turn off magic quotes?

Post by drb06 » Tue Sep 12, 2006 5:36 pm

after upgrading to 1011, i got this message:
PHP magic_quotes_gpc setting is `OFF` instead of `ON

Could somebody please point to me which file I should edit to turn it off?

Thanks

drb

User avatar
phoebe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 132
Joined: Wed Mar 22, 2006 8:00 am
Location: UK
Contact:

Re: where should I turn off magic quotes?

Post by phoebe » Tue Sep 12, 2006 6:14 pm

This is in your php.ini file on your server.  Depending on what set up you have, you may be able to edit it yourself, or have to ask your hoster to do it for you.
Phoebe
--
I'm not bossy, I just have better ideas.

corsebou
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Sat Jul 29, 2006 8:56 pm

Re: where should I turn off magic quotes?

Post by corsebou » Tue Sep 12, 2006 6:15 pm

Hello!
You are going to get shout on by the editors because its written on many posts how to turn it off...
(since its a important part of the security warnings of joomla 1.0.11)

I give you the source: (its the official sticky post on security)
http://forum.joomla.org/index.php/topic,93640.0.html

and the extract:
Magic Quotes
What does it do?
This function makes sure that all variables that are handed over to your database are getting escaped. This means that potential hacker attempts on your database through PHP scripts are prevented. This option should be turned ON!

How can I turn magic_quotes_gpc on?
Basically its the same as with register_globals, the only difference is, that you have to put the following line in your .htaccess:

Code:
php_flag magic_quotes_gpc on
And in the php.ini:

Code:
magic_quotes_gpc = on



else I give you the php source:
http://ch2.php.net/manual/en/security.m ... abling.php


If access to the server configuration is unavailable, use of .htaccess is also an option. For example:

php_flag magic_quotes_gpc Off


that will help!

drb06
Joomla! Intern
Joomla! Intern
Posts: 83
Joined: Thu Apr 27, 2006 2:54 am

Re: where should I turn off magic quotes?

Post by drb06 » Tue Sep 12, 2006 9:25 pm

Thanks and sorry for asking such a redundant question. I am learning all these new stuff and my search capabilities in joomla.org weren't quite good enough to pull the answer and hence I posed the question.

Thanks so much again,

drb

User avatar
tj.baker
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 231
Joined: Tue Feb 14, 2006 6:23 am

Re: where should I turn off magic quotes?

Post by tj.baker » Wed Sep 13, 2006 6:55 pm

I am totally confused on this issue, and I am going to write my confusion here instead of creating a new thread...... so someone please respond!  :)

I thought that the recomendation is for magic quotes to be turned on??

If this is correct, and my host will not do it for me, how do I accomplish this?

I set the line (php_flag magic_quotes_gpc on) in .htaccess.... now what?

peace,

tj

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3788
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: where should I turn off magic quotes?

Post by Hackwar » Wed Sep 13, 2006 9:00 pm

god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

User avatar
tj.baker
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 231
Joined: Tue Feb 14, 2006 6:23 am

Re: where should I turn off magic quotes?

Post by tj.baker » Wed Sep 13, 2006 10:09 pm

Thank you Hackwar,

I read everything, and followed the recomended steps for magic quotes, adding the line in .htaccess as well as php.ini.

I still get a message from J! that magic quotes is set to "off" and should be "on".

This is what my host recomends to turn it on:

"For that you would need to compile your own version of PHP, and thus
modify the php.ini file as needed. Here are instructions:
http://wiki.dreamhost.com/index.php/Installing_PHP5"

Am I going ot have to compile my own freakin' version of PHP on the server?  If so, this is getting rediculous....  :P

I have enjoyed learning everything I have learned since discovering J!...... however, I do not currently have the time to spend on compiling PHP just to change one setting.....

I sure hope there's another solution....  :)

Thanks for the help!

peace,

tj

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3788
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: where should I turn off magic quotes?

Post by Hackwar » Wed Sep 13, 2006 10:16 pm

You have basically three options:
1. Adjust the setting. When it does not work:
2. Change your hosting provider or
3. leave it as it is. When you've read my text, you know what MAgic Quotes is for and if you're lucky, your extensions are coded correctly. The risk thats coming with MQ turned off is acceptable. It would be a nice addition but its no 100% must.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

User avatar
DesignGuy
Joomla! Explorer
Joomla! Explorer
Posts: 263
Joined: Sat Sep 02, 2006 9:33 pm
Location: Chicago, USA
Contact:

Re: where should I turn off magic quotes?

Post by DesignGuy » Thu Oct 11, 2012 3:23 pm

I'll add that php 5.4.7 actually solves this issue, BUT make sure you're aware FIRST that if you change this setting at a server-level, and you have other domains on the server which are NOT being powered by Joomla! 3.x, they will be affected as well.

From personal experience (just tried it this morning, to see what would happen), sites powered by Joomla 2.5 are not compatible with php 5.4.7 in its default settings. You end up with one big mess. So, I reverted back to safer ground, running php 5.3.1.

Ah, the wonder of it all! :)
John Coonen
Host, CMS Expo Learning & Business Conference - http://CMSExpo.net
Managing Director, The CMS Connection - http://CMSConnection.com
Co-founder, JoomlaChicago

User avatar
DesignGuy
Joomla! Explorer
Joomla! Explorer
Posts: 263
Joined: Sat Sep 02, 2006 9:33 pm
Location: Chicago, USA
Contact:

Re: where should I turn off magic quotes?

Post by DesignGuy » Thu Oct 18, 2012 11:25 pm

(removed)
Last edited by DesignGuy on Thu Oct 18, 2012 11:53 pm, edited 2 times in total.
John Coonen
Host, CMS Expo Learning & Business Conference - http://CMSExpo.net
Managing Director, The CMS Connection - http://CMSConnection.com
Co-founder, JoomlaChicago

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15149
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: where should I turn off magic quotes?

Post by mandville » Thu Oct 18, 2012 11:41 pm

Please post in the joomla forums this forums are for joomla 1.0 only
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

riyosakura
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sat May 25, 2013 5:46 am

Re: where should I turn off magic quotes?

Post by riyosakura » Sat May 25, 2013 6:33 am

I don't know how to turn off magic quotes...
but maybe this can help you to get rid of those problems...
3rdlion wrote:I decided to move this into its own thread. Hopefully this saves some other people time in getting their Joomla 3.0 site up and running.

Preamble
I've been seeing quite a few questions relating to Magic Quotes needing to be turned off in order to install Joomla 3.0 Many of the responses ask you to alter the php.ini or edit other high level server config.

All of this unnecessary server tinkering is just madness!
You can't even install Joomla 3.0 without turning off Magic Quotes.
And its these kind of UX blocks that put Joomla so far backwards it's not even funny.

In many cases altering php.ini is just not possible (shared hosting etc).
Magic Quotes Enable sites have existed no problem alongside Anti Magic Quotes sites, so what changed in Joomla 3.0? Why should you alter your server config?

With some careful editing, you can turn the clock back to the way things used to be and use Joomla 3.0 with Magic Quotes turned ON!

Here's how to do it:
PART 1
  • Step 1 Download the latest Joomla 3.0
  • Step 2 Extract the files on your server
  • Step 3 Open your favourite PHP editor
  • Step 4 Navigate and open installation/models/setup.php
  • Step 5 Scroll down to find line 234

Code: Select all

// Check for magic quotes gpc.
$option = new stdClass;
$option->label  = JText::_('INSTL_MAGIC_QUOTES_GPC');
$option->state  = (ini_get('magic_quotes_gpc') == false);
$option->notice = null;
$options[] = $option;
  • Step 6 Comment out the code above and save the file
Now you can install Joomla 3.0 no problem.
IMPORTANT
However, Magic Quotes and Joomla's new special character escaping will cause duplicate escaping when editing/creating content. This renders anything that's not plain text incorrectly. So, we need to add one small condition to the core (this used to exist pre Joomla 3.0)
PART 2
  • Step 1 Navigate and open libraries/joomla/filter/input.php
  • Step 2 Scroll down to find line 261

Code: Select all

public function clean($source, $type = 'string')
{
	// Handle the type constraint
	switch (strtoupper($type))
	{...
	}
	// -- ADD THIS CODE HERE
	// Handle magic quotes compatibility
	if(get_magic_quotes_gpc()) $result = self::_stripSlashesRecursive($result);
}
  • Step 3 Add the code marked above to the clean function
  • Step 4 You may have noticed we're only running this when Magic Quotes is set to ON and referring to a new function called _stripSlashesRecursive. Now, we need to add that function to the class.
    Scroll to line 755 and add the following function:

Code: Select all

/**
 * Strips slashes recursively on an array.
 *
 * @param   array  $value  Array or (nested arrays) of strings.
 *
 * @return  array  The input array with stripslashes applied to it.
 *
 * @deprecated  12.1 - Sanctioned on 2012-10-09 thanks to Anton Wintergerst
 * @since       11.1
 */
protected static function _stripSlashesRecursive($value)
{
    $value = is_array($value) ? array_map(array('JFilterInput', '_stripSlashesRecursive'), $value) : stripslashes($value);
    return $value;
}
If you want to learn about why Joomla is trying to force us to disable Magic Quotes then check out this link:
http://www.php.net/manual/en/security.m ... whynot.php

veivei
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri Feb 23, 2007 8:03 pm

Re: where should I turn off magic quotes?

Post by veivei » Mon May 27, 2013 2:02 am

None of this work for me. And this is taking so much effort for a noob like me. Joomla shouldn't release this fail 3.0 version.


Locked

Return to “Security - 1.0.x”