Skip to content

Magic quotes error outputted to the front-end even though disabled #2447

Closed
jaydenseric opened this Issue Sep 23, 2013 · 11 comments

8 participants

@jaydenseric

On 2 production servers with 2 different SilverStripe 3.1 sites we are getting the ugly error:

Warning: get_magic_quotes_gpc support is being removed from Silverstripe. Please set this to off in your php.ini and see http://php.net/manual/en/security.magicquotes.php

Running phpinfo() in the site root shows all magic quotes settings are off.

This message originates here: https://github.com/silverstripe/silverstripe-framework/blob/3.1/core/Constants.php#L141

It seems to be the check if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { ... } is not reliable.

Oddly magic quotes is checked for using a different technique (ini_get()) here: https://github.com/silverstripe/silverstripe-framework/blob/3.1/dev/install/install.php5#L493

Is this a better approach? I don't know. This is only happening on production servers we do not have control of so testing this is not easy.

To make the message go away we commented out the trigger_error( ... ). Editing the core like this sucks though as we use Git submodules along with Beanstalk auto deployments. We would now have to version all of /framework/ in our repo.

@purplespider

I've just come across this issue too. The error persists even after confirming that magic_quotes_gpc is off via phpinfo(). Any solution other than "hacking the core"?

@hafriedlander
SilverStripe Ltd. member

I'm not sure how reliable phpinfo() is - especially given the alternative is that get_magic_quotes_gpc() isn't reliable (they're both core functions).

Can you create a test.php file on the server like

<?php
print_r($_GET)
?>
<form action="test.php" method="get">
  <input type="text" name="test" />
  <input type="submit" />
</form>

Then hit it, submit a value to the form with single quotes in it (like O'Reilly), then view source & see if the single quote is escaped or not?

(If it isn't escaped, and get_magic_quotes_gpc() is returning incorrect results, I'm not sure what the alternative would be - ini_get() isn't likely to be reliable).

@simonwelsh

I've seen this problem before. It turned out that magic_quotes is off in the site root (where the phpinfo() is) but on in the framework folder (where script execution happens).

@jaydenseric

@simonwelsh I ended up passing this issue to a colleague. From memory this is what he found, it was on in the framework folder but not the root.

@purplespider

Ah yes. You're both correct. Hamish: that test file correctly doesn't escape the quote, but as soon as I move it into a subfolder a slash appears.

In my instance this has occurred on a client's host, rather than my own server where I full control of php.ini, so for this account I've added a custom php.ini file to the root, but obviously it's only applying to the root and not the sub directories. Need to find out why.

So looks like this issue can be closed?

@simonwelsh simonwelsh closed this Mar 13, 2014
@digital360

As @jaydenseric stated, we had a similar issue. The way we resolved it was to place a php.ini file within framework/ to override magic quotes, or anything else really.

As the application runs via framework/main.php, not index.php this would be the reason why it's not getting applied. Of course, this only applies if you have re-writes enabled for .htaccess, otherwise your application will run via index.php.

Not ideal, but it fixed the issue temporarily.

@purplespider

Thanks @digital360 that makes sense. And putting a copy of my custom php.ini file in the framework dir solved it.

@nimeso
nimeso commented Mar 6, 2015

@digital360 @jaydenseric I'm still having this issue even though I have created a custom php.ini inside framework :( I'm getting a javascript error in my javascript console and can't use the CMS.

php.ini

magic_quotes_gpc = off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
date.timezone = Pacific/Auckland
upload_max_filesize = 100M
post_max_size = 100M
memory_limit = 512M

---- error ----
Warning: get_magic_quotes_gpc support is being removed from Silverstripe. Please set this to off in your php.ini and see http://php.net/manual/en/security.magicquotes.php in /home/ar37com/public_html/framework/core/Constants.php on line 143



Warning: ini_set() [ref.outcontrol]: Cannot change zlib.output_compression - headers already sent in /home/ar37com/public_html/framework/thirdparty/tinymce/tiny_mce_gzip.php on line 164



Warning: Cannot modify header information - headers already sent by (output started at /home/ar37com/public_html/framework/core/Constants.php:143) in /home/ar37com/public_html/framework/thirdparty/tinymce/tiny_mce_gzip.php on line 177



Warning: Cannot modify header information - headers already sent by (output started at /home/ar37com/public_html/framework/core/Constants.php:143) in /home/ar37com/public_html/framework/thirdparty/tinymce/tiny_mce_gzip.php on line 178



Warning: Cannot modify header information - headers already sent by (output started at /home/ar37com/public_html/framework/core/Constants.php:143) in /home/ar37com/public_html/framework/thirdparty/tinymce/tiny_mce_gzip.php on line 179



Warning: Cannot modify header information - headers already sent by (output started at /home/ar37com/public_html/framework/core/Constants.php:143) in /home/ar37com/public_html/framework/thirdparty/tinymce/tiny_mce_gzip.php on line 180

var tinyMCEPreInit={base:'/framework/thirdparty/tinymce',suffix:''};(function(e){var a=/^\s|\s$/g,b,d="B".replace(/A(.)|B/,"$1")==="$1";var c=
.....

@robpetreski

@nimeso - It appears you're on a shared hosting environment, you need to make sure your hosting provider supports overriding php settings via your application. If not, you might have to contact them. Also, I'd try overriding within the .htaccess file using:

php_flag magic_quotes_gpc Off

@nimeso
nimeso commented Mar 12, 2015

@daOutlawz Still no luck at all with this one :( I talked to the hosting company and they said to try putting the php.ini file in the cms (I've now got php.ini files everywhere! lol) Still no luck at all and the hosting company is saying it's the frameworks fault... sigh :( anyone got any ideas?

@dhensby
SilverStripe Ltd. member
dhensby commented Mar 12, 2015

@nimeso It's a hosting configuration problem and it's something they should be able to advise you how to turn off.

Also, the errors are just warnings so you should be able to turn those off too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.