-
Hmm, OK well my host doesn't explicitly say I can have a php.ini - they don't explicitly say I can't either, but .htaccess in the folder works, and they do explicitly allow full use of .htaccess files.
I can experiment with php.ini - as I imagine there would be lots of uses for that. When you say the root of the site, do you mean the public or private root?
I'm not so sure I want magic quotes gpc off for this though, it does allow for cross site scripting. I don't think anything directly bad could happen, but a clever person could make a page of any kind look like it's on my domain. That might get me into trouble with my host. So I deleted the .htaccess file. That worked too, the quotes are back on. It's good to know about all that for future reference.
I checked the phpinfo() page, magic quotes runtime is already off and so is the one you didn't mention, the sybase one.
It wouldn't even have gpc on except that it's 5.2.17 and I guess that's the default or for backward compatibility reasons.
-
It's your choice, but there's really no debate about this: magic quotes is bad, so it should be disabled. It's true that it might cause some backward compatibility issues, but it's better to fix the bad code (or in those cases enable it).
Regarding anyone adding content to your site, that's a separate issue entirely.
Note that you can (and in some cases should) mimic the behavior of magic quotes-- in some cases, you want to escape quotes, and that's perfectly fine. But what you don't want is to have it done automatically on everything because it will be confusing, and you'll have lots of forward compatibility issues (which are harder to fix, not to mention more important, than backward compatibility, I think). So disabling magic quotes doesn't prevent anything-- it just turns off escaping as an arbitrary default for everything.
Regarding php.ini, it can be in different places. But it's almost certainly going to be in a private location (somewhere under the HTML directory). You'd have to check with your host.
You can use .htaccess effectively here. There's no real need for php.ini if you can't use it. php.ini is just lower level, so it means a little less processing I think. But it's not a problem realistically.
And if you put it in the .htaccess file for the root of your site (HTML root, in this case) you won't have to worry about it again.
-
Right - the public_HTML/ or whatever its called on your host. If it 'works,' it's safe to assume that you're 'allowed' to use it.
