1. Some settings to set off

1.1 register_global

Why has it to be off ?


1.2 magic_quote_gpc

Why has it to be off ?

The purpose of magic quoting is to prevent malicious code to be executed when you use datas from superglobals in sql statements, or in system, popen and other things like that

Why is it a bad idea to do that ? Well, when you print datas taken from a web form on a dynamic page, you have to escape html entities to avoid script attacks, and other malicious code injection. But do you run htmlentities on all your superglobals ? of course not !

2. What should I do then ?

2.1 I have no access to php.ini or .htacess, how can I revert quoting ?

For this case, of if you want your program to be magic_quote_gpc safe, you can use at the top of your pages the function below :

if (get_magic_quotes_gpc()) { // we do nothing if magic quotes off

    /** remove magic quotes from an array.
     * this function operate on a reference on an array for efficiency
function rm_magic_quotes(&$array) {
        foreach (
$array as $k => $v) {
            if (
is_array($v)) {
            } else {
$array[$k] = addslashes($v);
// remove slashes (but not $_GLOBALS or $_SESSION !)

2.2 Security policy wrt. php vars

PHP vars should not be trusted at all, you have to escape them a lot. But you can need quote escaping for sql statements, entities escaping for hypertext generation, ...

A good security policy is to apply by default the safer treatment, and to disable it for special cases. How to achieve that ?

But consider that doing sth like a : htmlentities(escape(...)) on every php var is inefficient, and is a bad design. Security has to be used where it applies. Classical escaping sucks for html purpose, and you doesn't need to escape entities for sql statements.