Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


magic_quotes_gpc and JSON #1

alixaxel opened this Issue · 3 comments

1 participant


In PHP 5.3+ and when magic_quotes_gpc is "On" control characters also get their slashes removed.

This issue might be solved by either double escaping control characters prior to calling json_decode(), or, by dropping the current JSON magic quotes removal strategy altogether.

@alixaxel alixaxel was assigned

Double escaping can be done with the following str_replace():

$_GET = json_decode(stripslashes(str_replace(array('\\0', '\\a', '\\b', '\\f', '\\n', '\\r', '\\t', '\\v'), array('\\\0', '\\\a', '\\\b', '\\\f', '\\\n', '\\\r', '\\\t', '\\\v'), json_encode($_GET, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
$_POST = json_decode(stripslashes(str_replace(array('\\0', '\\a', '\\b', '\\f', '\\n', '\\r', '\\t', '\\v'), array('\\\0', '\\\a', '\\\b', '\\\f', '\\\n', '\\\r', '\\\t', '\\\v'), json_encode($_POST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
$_COOKIE = json_decode(stripslashes(str_replace(array('\\0', '\\a', '\\b', '\\f', '\\n', '\\r', '\\t', '\\v'), array('\\\0', '\\\a', '\\\b', '\\\f', '\\\n', '\\\r', '\\\t', '\\\v'), json_encode($_COOKIE, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
$_REQUEST = json_decode(stripslashes(str_replace(array('\\0', '\\a', '\\b', '\\f', '\\n', '\\r', '\\t', '\\v'), array('\\\0', '\\\a', '\\\b', '\\\f', '\\\n', '\\\r', '\\\t', '\\\v'), json_encode($_REQUEST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);

Alternatively, the following preg_replace() could be used:

$_GET = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_GET, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
$_POST = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_POST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
$_COOKIE = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_COOKIE, JSON_HEX_APOS | JSON_HEX_QUOT))), true);
$_REQUEST = json_decode(stripslashes(preg_replace('~\\\(?:0|a|b|f|n|r|t|v)~', '\\\$0', json_encode($_REQUEST, JSON_HEX_APOS | JSON_HEX_QUOT))), true);

Fixed in version 1.4.21.

@alixaxel alixaxel closed this

Since the magic_quotes_gpc also affects some built-in functions (namely parse_str(), addslashes() and stripslashes()) this logic has been replaced by the recursive phunction::Voodoo() method, which is also called in the phunction::__construct() for the $_GET, $GLOBALS['_PUT'], $_POST, $_COOKIE and $_REQUEST superglobals.

phunction::Voodoo() should also be called once on the return value of any other affected function - specially parse_str().

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.